CVE-2026-6411 Raw CVE debrief

Who should care

Organizations using MAXHUB Pivot client application versions prior to v1.36.2, especially tenant administrators and IT teams responsible for device enrollment, tenant access, and client updates.

Technical summary

The advisory describes two issues in MAXHUB Pivot client application prior to v1.36.2: first, tenant email addresses and related metadata are stored in encrypted form but can be decrypted because the application contains a hardcoded AES key; second, unauthorized device enrollment via MQTT may be abused to create a denial-of-service condition by enrolling multiple devices into a tenant. The source assigns CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (7.3 High).

Defensive priority

High

Recommended defensive actions

• Upgrade MAXHUB Pivot client application to v1.36.2 or later as soon as possible.
• Inventory deployed Pivot client versions and confirm no affected versions remain in use.
• Review tenant access and device enrollment activity for unexpected or unauthorized entries.
• Restrict and monitor MQTT-related access paths used by the client and tenant enrollment workflow.
• Assess whether tenant email addresses or related metadata may have been exposed before remediation.
• Follow MAXHUB support guidance and keep the client on the latest available version.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-26-127-01 published on 2026-05-07 and the linked official references. The advisory text states that MAXHUB recommends upgrading to v1.36.2 or newer and notes that MAXHUB was not aware of public exploitation at the time of publication.

Official resources