CVE-2026-28806

{"id": "CVE-2026-28806", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-10T22:16:18.420", "references": [{"url": "https://cna.erlef.org/cves/CVE-2026-28806.html", "tags": ["Third Party Advisory", "Patch"], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}, {"url": "https://github.com/nerves-hub/nerves_hub_web/commit/1f69c9d595684a4650c3ac702f3dc7c5bcd7526c", "tags": ["Patch"], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}, {"url": "https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-f8fr-mccc-xvcx", "tags": ["Patch", "Vendor Advisory"], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}, {"url": "https://osv.dev/vulnerability/EEF-CVE-2026-28806", "tags": ["Third Party Advisory", "Patch"], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-668"}]}], "descriptions": [{"lang": "en", "value": "Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.\n\nMissing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.\n\nAn attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.\n\nIn environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.\n\nThis issue affects nerves_hub_web: from 1.0.0 before 2.4.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n indebida en nerves-hub nerves_hub_web permite el control de dispositivos entre organizaciones a trav\u00e9s de acciones masivas de dispositivos y la API de actualizaci\u00f3n de dispositivos.\n\nLa falta de comprobaciones de autorizaci\u00f3n en los puntos finales de las acciones masivas de dispositivos y la API de actualizaci\u00f3n de dispositivos permite a los usuarios autenticados dirigir dispositivos que pertenecen a otras organizaciones y realizar acciones fuera de su nivel de privilegio.\n\nUn atacante puede seleccionar dispositivos fuera de su organizaci\u00f3n manipulando los identificadores de los dispositivos y realizar acciones de gesti\u00f3n sobre ellos, como moverlos a productos que controlan. Esto puede permitir a los atacantes interferir con las actualizaciones de firmware, acceder a la funcionalidad del dispositivo expuesta por la plataforma o interrumpir la conectividad del dispositivo.\n\nEn entornos donde caracter\u00edsticas adicionales como el acceso a la consola remota est\u00e1n habilitadas, esto podr\u00eda llevar a un compromiso total de los dispositivos afectados.\n\nEste problema afecta a nerves_hub_web: desde la versi\u00f3n 1.0.0 anterior a la 2.4.0."}], "lastModified": "2026-05-27T13:47:15.800", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nerves-hub:nerveshub:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D982719F-4686-457F-AC3A-2589CA56652A", "versionEndExcluding": "2.4.0", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}