CVE-2026-6411 PUBLISHED

MAXHUB Pivot Client Application Use of a Broken or Risky Cryptographic Algorithm

Assigner: icscert
Reserved: 15.04.2026 Published: 07.05.2026 Updated: 07.05.2026

This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and related metadata from any tenant. Due to the presence of a hardcoded AES key within the application, the encrypted data can be decrypted, enabling access to tenant email addresses and associated information in cleartext. Furthermore, an attacker may be able to cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS Score: 7.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	MAXHUB
Product	MAXHUB Pivot client application
Versions	Default: unaffected affected from 0 to 1.36.2 (excl.) Version 1.36.2 is unaffected

Solutions

MAXHUB recommends users upgrade the Pivot client application to v1.36.2 or newer. The remediation has been made available through an OTA update. Users running v1.36.2 or later are not affected and need only ensure they continue to maintain the latest version. At this time, MAXHUB is not aware of any public exploitation of this issue. For more information, see the MAXHUB support page. https://www.maxhub.com/en/support/

Credits

Malik MAKKES and Yassine BENGANA of Abicom Groupe OCI reported this vulnerability to MAXHUB. finder

References

Problem Types

CWE-327 CWE