PatchSiren cyber security CVE debrief

CVE-2026-9568 ThingsBoard CVE debrief

A code injection vulnerability exists in ThingsBoard versions up to 4.3.1.1, specifically within the `getGatewayDockerComposeFile` function accessible via the `/api/v1/provision` endpoint. The vulnerability stems from improper handling of YAML input, allowing an attacker to inject and execute arbitrary code. The attack vector is network-based but requires high complexity and user interaction, resulting in a LOW severity CVSS 4.0 score of 2.3. The vulnerability was disclosed to the project maintainers via GitHub pull request #15550 prior to public disclosure, though no official response or patch has been released as of the CVE publication date of May 26, 2026.

Vendor: ThingsBoard
Product: ThingsBoard
CVSS: LOW 2.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-26
Original CVE updated: 2026-05-26
Advisory published: 2026-05-26
Advisory updated: 2026-05-26

Who should care

Organizations running ThingsBoard instances with exposed provision APIs, particularly those using gateway provisioning features. Security teams monitoring for unpatched vulnerabilities in IoT platform infrastructure. Developers and administrators responsible for ThingsBoard deployment security.

Technical summary

The vulnerability resides in the `getGatewayDockerComposeFile` function within ThingsBoard's provision API (`/api/v1/provision`). Insufficient input validation on YAML processing enables code injection. The attack requires network access but is mitigated by high complexity and required user interaction. No authentication requirements are specified in available data. The vulnerability affects versions up to and including 4.3.1.1.

Defensive priority

LOW

Recommended defensive actions

Review and restrict access to the `/api/v1/provision` endpoint, implementing network segmentation or access controls where possible
Monitor for unusual activity targeting the provision API endpoint, particularly requests attempting YAML payload manipulation
Await official patch from ThingsBoard maintainers; verify PR #15550 status for potential community or unofficial fixes
Implement input validation and sanitization for YAML processing functions, following secure coding practices for YAML parsers
Consider disabling or restricting gateway provisioning functionality if not required for operations until a patch is available

Evidence notes

The vulnerability description identifies the affected component as the YAML Handler in the `getGatewayDockerComposeFile` function at `/api/v1/provision`. The CVSS 4.0 vector indicates network attack vector (AV:N), high attack complexity (AC:H), no attacker privileges required (PR:N), and user interaction required (UI:P). CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-94 (Improper Control of Generation of Code) are identified as the underlying weaknesses. The NVD status is listed as 'Deferred'.

Official resources

The vulnerability was reported to the ThingsBoard project through a pull request (GitHub PR #15550) before public disclosure. The CVE was published on May 26, 2026, with no indication of coordinated disclosure completion or vendor patch at