Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.4
Unauthorized Access to Devices in Other Organizations
CVE-2026-28806
EEF-CVE-2026-28806
GHSA-f8fr-mccc-xvcx
Summary
A security issue in nerves-hub nerves_hub_web allows users with certain permissions to control devices in other companies. This could let an attacker take control of devices, update their firmware, or disrupt their connections. Users should update to version 2.4.0 or later to fix this issue.
Original title
Improper authorization in device bulk actions and device update API allows cross-organization device control
Original description
Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.
Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.
An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.
In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.
This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.
Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.
An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.
In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.
This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.
nvd CVSS4.0
9.4
Vulnerability type
CWE-285
Improper Authorization
CWE-668
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026