CVE-2026-1201 Hubitat CVE debrief

Who should care

Organizations and households using Hubitat Elevation C3/C4/C5/C7/C8/C8 Pro hubs, especially administrators responsible for device access controls, authenticated user roles, and home/OT automation safety.

Technical summary

The advisory describes an Authorization Bypass Through User-Controlled Key weakness, referenced alongside CWE-639. The affected exposure is remote and requires authentication, but successful exploitation can cross authorization boundaries and permit control of connected devices beyond intended user privileges. CISA lists firmware 2.4.2.157 as the mitigation.

Defensive priority

Immediate

Recommended defensive actions

• Upgrade Hubitat Elevation hubs to firmware version 2.4.2.157 or later as soon as possible.
• Review user roles, permissions, and any device-scoping rules to ensure authenticated users can only control approved devices.
• Inspect logs for unusual or unauthorized device-control activity, especially requests that may indicate client-side request manipulation.
• Limit authenticated access to the platform to only necessary users and accounts.
• After patching, verify that device authorization boundaries still behave as expected for each user role.

Evidence notes

This debrief is based on CISA’s CSAF advisory ICSA-26-022-06 published on 2026-01-22 and the linked remediation note stating firmware version 2.4.2.157. The source corpus identifies the affected products as Hubitat Elevation C3/C4/C5/C7/C8/C8 Pro and references CWE-639. No KEV listing is included in the supplied corpus.

Official resources