CVE-2026-28806

Improper authorization in device bulk actions and device update API allows cross-organization device control

Assigner: EEF
Reserved: 03.03.2026 Published: 10.03.2026 Updated: 11.03.2026

Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.

Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.

An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.

In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.

This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	nerves-hub
Product	nerves_hub_web
Versions	Default: unaffected affected from 1.0.0 to 2.4.0 (excl.) affected from pkg:otp/nerves_hub@1.0.0 to pkg:otp/nerves_hub@2.4.0 (excl.)

Vendor

nerves-hub

Product

nerves_hub_web

Versions

Default: unaffected

affected from 1.0.0 to 2.4.0 (excl.)
affected from pkg:otp/nerves_hub@1.0.0 to pkg:otp/nerves_hub@2.4.0 (excl.)

Vendor	nerves-hub
Product	nerves_hub_web
Versions	Default: unaffected affected from 1.0.0 to 2.4.0 (excl.) affected from pkg:oci/nerves-hub?repository_url=ghcr.io/nerves-hub&tag=1.0.0 to pkg:oci/nerves-hub?repository_url=ghcr.io/nerves-hub&tag=2.4.0 (excl.)

Vendor

nerves-hub

Product

nerves_hub_web

Versions

Default: unaffected

affected from 1.0.0 to 2.4.0 (excl.)
affected from pkg:oci/nerves-hub?repository_url=ghcr.io/nerves-hub&tag=1.0.0 to pkg:oci/nerves-hub?repository_url=ghcr.io/nerves-hub&tag=2.4.0 (excl.)

Vendor	nerves-hub
Product	nerves_hub_web
Versions	Default: unaffected affected from adaeefdb7a835525482588f43332ef988cc448c7 to 1f69c9d595684a4650c3ac702f3dc7c5bcd7526c (excl.) affected from pkg:github/nerves-hub/nerves_hub_web@adaeefdb7a835525482588f43332ef988cc448c7 to pkg:github/nerves-hub/nerves_hub_web@1f69c9d595684a4650c3ac702f3dc7c5bcd7526c (excl.)

Vendor

nerves-hub

Product

nerves_hub_web

Versions

Default: unaffected

affected from adaeefdb7a835525482588f43332ef988cc448c7 to 1f69c9d595684a4650c3ac702f3dc7c5bcd7526c (excl.)
affected from pkg:github/nerves-hub/nerves_hub_web@adaeefdb7a835525482588f43332ef988cc448c7 to pkg:github/nerves-hub/nerves_hub_web@1f69c9d595684a4650c3ac702f3dc7c5bcd7526c (excl.)

Credits

Josh Kalderimis / NervesHub team & NervesCloud finder
Jonatan Männchen / EEF coordinator
Lars Wikman / NervesHub team & NervesCloud remediation reviewer

References

Problem Types

CWE-285 Improper Authorization CWE
CWE-668 Exposure of Resource to Wrong Sphere CWE

Impacts

CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs

CVE-2026-28806 PUBLISHED

Improper authorization in device bulk actions and device update API allows cross-organization device control

Metrics

Product Status

Credits

References

Problem Types

Impacts