Description
A weakness has been identified in ThingsBoard up to 4.3.1.1. Affected by this vulnerability is the function getGatewayDockerComposeFile of the file /api/v1/provision of the component YAML Handler. This manipulation causes code injection. It is possible to initiate the attack remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The project was informed of the problem early through a pull request but has not reacted yet.
Published: 2026-05-26
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability exists in the ThingsBoard provisioning API and enables attackers to inject arbitrary code through the getGatewayDockerComposeFile function. The injected code is executed within the server environment, giving an attacker potential control over the infrastructure. The weakness is classified as CWE-74 (Code Injection) and CWE-94 (Improper Control of Generation of Code). Based on the description it is inferred that an attacker can exploit this remotely, but the attack complexity is high and the overall exploitation difficulty is rated as difficult.

Affected Systems

ThingsBoard up to version 4.3.1.1 is affected. No lower‑bound version is specified, but any instance of ThingsBoard 4.3.1.1 or earlier should be considered vulnerable.

Risk and Exploitability

The CVSS v3 score of 2.3 places this issue in the low severity range, and the EPSS score is not available. It is not listed in the CISA KEV catalog. Despite the low CVSS, the nature of the vulnerability allows remote code execution, making it potentially high impact if exploited. The attack vector is inferred to be remote, requiring the ability to submit specially crafted requests to the provisioning endpoint. Due to the high attack complexity and difficult exploitation, the likelihood of immediate exploitation is low, but the impact would be severe if successful.

Generated by OpenCVE AI on May 26, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s official patch or upgrade to a version that fixes the code injection flaw as soon as it is released
  • Restrict access to the provisioning API to trusted networks or authenticated users only
  • Implement strict input validation and sanitization for YAML inputs to prevent code injection
  • If a patch is unavailable, consider disabling the getGatewayDockerComposeFile endpoint or monitoring for suspicious activity

Generated by OpenCVE AI on May 26, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in ThingsBoard up to 4.3.1.1. Affected by this vulnerability is the function getGatewayDockerComposeFile of the file /api/v1/provision of the component YAML Handler. This manipulation causes code injection. It is possible to initiate the attack remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The project was informed of the problem early through a pull request but has not reacted yet.
Title ThingsBoard YAML provision getGatewayDockerComposeFile code injection
First Time appeared Thingsboard
Thingsboard thingsboard
Weaknesses CWE-74
CWE-94
CPEs cpe:2.3:a:thingsboard:thingsboard:*:*:*:*:*:*:*:*
Vendors & Products Thingsboard
Thingsboard thingsboard
References
Metrics cvssV2_0

{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Thingsboard Thingsboard
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-26T18:00:13.406Z

Reserved: 2026-05-26T10:58:44.605Z

Link: CVE-2026-9568

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-26T19:16:34.610

Modified: 2026-05-26T19:37:00.120

Link: CVE-2026-9568

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T20:30:15Z

Weaknesses