Description
An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.
Published: 2026-01-22
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Device Control
Action: Immediate Patch
AI Analysis

Impact

An authorization bypass exists in Hubitat Elevation firmware versions prior to 2.4.2.157. Once authenticated to the hub, a user can modify a key in client‑side requests that the hub trusts, leading the controller to execute device commands that fall outside the user’s allowed device scope. The result is that an attacker can remotely control devices they should not be able to, compromising the integrity and availability of the home automation system.

Affected Systems

The flaw applies to all Hubitat Elevation models, including Elevation C3, C4, C5, C7, C8, and the elevated C8 Pro, when running firmware earlier than 2.4.2.157.

Risk and Exploitability

The CVSS score of 9.4 places this vulnerability in the critical range. The EPSS score of <1% indicates a very low probability of exploitation, but the ability to bypass authorization makes it highly valuable to an attacker. The flaw is not currently listed in the CISA KEV catalog. Attackers simply need already authenticated access to the hub’s interface or API and can manipulate request parameters to instruct the hub to control devices outside their legitimate permissions.

Generated by OpenCVE AI on April 18, 2026 at 18:58 UTC.

Remediation

Vendor Solution

Hubitat has released the following for users to implement: * Firmware version [2.4.2.157]( https://community.hubitat.com/t/release-2-4-2-available/154531/10 )

OpenCVE Recommended Actions

  • Upgrade all Hubitat Elevation hubs to firmware 2.4.2.157 or newer, following the vendor’s release instructions.
  • Restrict access to the hub’s web interface or API by applying network segmentation or firewall rules so that only trusted devices can connect, and consider disabling remote administration until the patch is verified.
  • Enable automatic firmware updates when available, or set up a regular update schedule to receive future security releases promptly.

Generated by OpenCVE AI on April 18, 2026 at 18:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
References

Fri, 23 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Hubitat
Hubitat elevation C3
Hubitat elevation C4
Hubitat elevation C5
Hubitat elevation C7
Hubitat elevation C8
Hubitat elevation C8 Pro
Vendors & Products Hubitat
Hubitat elevation C3
Hubitat elevation C4
Hubitat elevation C5
Hubitat elevation C7
Hubitat elevation C8
Hubitat elevation C8 Pro

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.
Title Authorization Bypass Through User-Controlled Key in Hubitat Elevation Hubs
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Hubitat Elevation C3 Elevation C4 Elevation C5 Elevation C7 Elevation C8 Elevation C8 Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-01-29T16:51:31.043Z

Reserved: 2026-01-19T14:29:21.551Z

Link: CVE-2026-1201

cve-icon Vulnrichment

Updated: 2026-01-23T20:12:43.981Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T22:16:16.130

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1201

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:00:08Z

Weaknesses