CVE-2026-6411 - Vulnerability Details

- MAXHUB Pivot Client Application Use of a Broken or Risky Cryptographic Algorithm

Description

This vulnerability, in the MAXHUB Pivot client application versions
prior to v1.36.2, may allow an attacker to obtain encrypted tenant email
addresses and related metadata from any tenant. Due to the presence of a
hardcoded AES key within the application, the encrypted data can be
decrypted, enabling access to tenant email addresses and associated
information in cleartext. Furthermore, an attacker may be able to cause a
denial-of-service condition by enrolling multiple unauthorized devices
into a tenant via MQTT, potentially disrupting tenant operations.

Published: 2026-05-07

Score: 7.3 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the MAXHUB Pivot client application before version 1.36.2. A hardcoded AES key allows an attacker to decrypt data that is otherwise encrypted, exposing tenant email addresses and related metadata. In addition, an attacker may enroll multiple unauthorized devices into a tenant via MQTT, which can degrade or halt tenant operations. The weakness is formally classified as CWE‑327, a broken or risky cryptographic algorithm.

Affected Systems

All installations of the MAXHUB Pivot client application older than v1.36.2 are affected. Users of v1.36.2 or newer are not susceptible. The flaw impacts any tenant that utilizes the client application for managing its environment.

Risk and Exploitability

The CVSS score of 7.3 reflects a high severity vulnerability. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The exploit is facilitated by the presence of a static cryptographic key and an MQTT interface that can accept unauthorized device enrollments, implying that an attacker with network or local access could read sensitive information and potentially disrupt services. The lack of a listed KEV suggests no current exploitation reports, but the high CVSS indicates substantial potential impact if the vulnerability is abused.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MAXHUB

MAXHUB Pivot client application

unaffected

Version	Status	Constraints
`0`	affected	< 1.36.2
`1.36.2`	unaffected	—

No data.

No data available yet.

Remediation

Vendor Solution

MAXHUB recommends users upgrade the Pivot client application to v1.36.2 or newer. The remediation has been made available through an OTA update. Users running v1.36.2 or later are not affected and need only ensure they continue to maintain the latest version. At this time, MAXHUB is not aware of any public exploitation of this issue. For more information, see the MAXHUB support page. https://www.maxhub.com/en/support/

OpenCVE Recommended Actions

Upgrade the Pivot client application to version 1.36.2 or newer; the vendor recommends applying the OTA update as the official fix.
Continuously monitor MQTT traffic for anomalous device enrollment patterns, and reject any unauthorized device connections to mitigate the denial‑of‑service attack surface.
Restrict network access to the MQTT broker using firewall rules or isolation so that only authenticated and authorized devices can enroll.

Generated by OpenCVE AI on May 7, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-127-01.json
https://www.cisa.gov/news-events/ics-advisories/icsa-26-127-01
https://www.maxhub.com/en/support/

History

Thu, 07 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and related metadata from any tenant. Due to the presence of a hardcoded AES key within the application, the encrypted data can be decrypted, enabling access to tenant email addresses and associated information in cleartext. Furthermore, an attacker may be able to cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations.
Title		MAXHUB Pivot Client Application Use of a Broken or Risky Cryptographic Algorithm
Weaknesses		CWE-327
References		https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-127-01.json https://www.cisa.gov/news-events/ics-advisories/icsa-26-127-01 https://www.maxhub.com/en/support/
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-05-07T22:25:54.959Z

Updated: 2026-05-07T22:25:54.959Z

Reserved: 2026-04-15T23:14:19.539Z

Link: CVE-2026-6411

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-07T23:16:32.987

Modified: 2026-05-07T23:16:32.987

Link: CVE-2026-6411

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T00:00:12Z

Weaknesses

CWE-327

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object