Description
Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.

Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.

An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.

In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.

This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.
Published: 2026-03-10
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized cross‑organization device control
Action: Apply patch
AI Analysis

Impact

The vulnerability is an improper authorization bug that lets an authenticated user perform bulk device actions or update commands on devices that belong to another organization. Because the API fails to verify that the caller has permission for each target device, the attacker can manipulate device identifiers to select devices outside their own organization. The resulting impact includes moving devices between products the attacker controls, tampering with firmware updates, and potentially enabling downstream attacks such as remote console access, which could lead to full device compromise.

Affected Systems

The issue affects Nerves Hub's web application, versions from 1.0.0 up to (but not including) 2.4.0. The affected product is nerves_hub_web, maintained by the Nerves Hub project.

Risk and Exploitability

The CVSS score of 9.4 indicates a critical severity, while the EPSS score of less than 1% suggests low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. An attacker would need valid credentials to a Nerves Hub account and would exploit the API endpoints for bulk actions or device updates. Once authenticated, the absence of per‑device authorization checks allows arbitrary manipulation of any device across organizational boundaries.

Generated by OpenCVE AI on April 15, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nerves Hub to version 2.4.0 or later where the authorization checks for device bulk actions and updates have been implemented.
  • If an immediate upgrade is not feasible, restrict the device bulk action and device update API endpoints to administrators only, or disable them entirely in your deployment.
  • Implement additional validation in your application to ensure that each device ID in bulk requests belongs to the requesting user's organization before performing any actions.

Generated by OpenCVE AI on April 15, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
References

Thu, 12 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level. An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity. In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices. This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.
Title Improper authorization in device bulk actions and device update API allows cross-organization device control
First Time appeared Nerves-hub
Nerves-hub nerves Hub Web
Weaknesses CWE-285
CWE-668
CPEs cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*
Vendors & Products Nerves-hub
Nerves-hub nerves Hub Web
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Nerves-hub Nerves Hub Web
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-04-06T16:44:12.196Z

Reserved: 2026-03-03T14:40:00.589Z

Link: CVE-2026-28806

cve-icon Vulnrichment

Updated: 2026-03-11T14:36:15.921Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T22:16:18.420

Modified: 2026-04-06T17:17:09.000

Link: CVE-2026-28806

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:45:16Z

Weaknesses