CVE-2026-28806

Nerves-hub · nerves_hub_web

An improper authorization vulnerability in nerves_hub_web allows authenticated users to perform cross-organization device control via bulk actions and the device update API.

Executive summary

A critical authorization flaw in Nerves-hub nerves_hub_web enables unauthorized cross-organization device control, posing a significant risk to fleet integrity and operational security.

Vulnerability

The vulnerability stems from improper authorization checks within the application's device management and update APIs. An authenticated attacker can leverage these flaws to manipulate or control devices belonging to other organizations.

Business impact

This vulnerability carries a high risk of unauthorized command execution across managed device fleets, which could lead to widespread service disruption, data exfiltration, or the deployment of malicious firmware. With a CVSS score of 8.8, this flaw represents a significant threat to organizations relying on Nerves-hub for fleet management, necessitating immediate remediation to prevent unauthorized cross-tenant access.

Remediation

Immediate Action: Review the official Nerves-hub security advisories and apply the latest available updates or security patches for the nerves_hub_web component.

Proactive Monitoring: Audit access logs for anomalous API requests, specifically monitoring for device bulk actions or update commands originating from unauthorized or unexpected organizational accounts.

Compensating Controls: Implement strict network-level access controls and ensure that API keys or service accounts possess the least privilege necessary for their intended functions.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The authorization failure in nerves_hub_web is a high-severity issue that could compromise the entire device infrastructure. Administrators must prioritize identifying their current version and applying the vendor-supplied security update as soon as it becomes available to prevent unauthorized cross-organization control.