PatchSiren cyber security CVE debrief
CVE-2026-28806 nerves-hub CVE debrief
CVE-2026-28806 is an Improper Authorization vulnerability in nerves-hub nerves_hub_web allowing cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.
- Vendor
- nerves-hub
- Product
- nerves_hub_web
- CVSS
- CRITICAL 9.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-10
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-03-10
- Advisory updated
- 2026-05-27
Who should care
Users of nerves_hub_web from version 1.0.0 before 2.4.0 should be aware of this vulnerability and take immediate action to protect their systems. This vulnerability allows attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity. In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.
Technical summary
The vulnerability exists due to missing authorization checks in the device bulk actions and device update API endpoints. This allows authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level. An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control.
Defensive priority
High
Recommended defensive actions
- Apply the patches provided by the vendor
- Restrict access to the device bulk actions and device update API endpoints
- Monitor for suspicious activity on the network
- Implement additional security measures such as multi-factor authentication
- Regularly review and update access controls
Evidence notes
The CVE record was published on 2026-03-10T22:16:18.420Z and was last modified on 2026-05-27T13:47:15.800Z. The NVD entry is currently Analyzed. Evidence is limited to public CVE and NVD information; defenders should verify affected deployments, scope, and vendor guidance with additional sources.
Official resources
-
CVE-2026-28806 CVE record
CVE.org
-
CVE-2026-28806 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Third Party Advisory, Patch
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Patch
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Patch, Vendor Advisory
-
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Third Party Advisory, Patch
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-03-10T22:16:18.420Z and has not been modified since then. The NVD entry is currently Analyzed.