CRITICAL
nerves-hub
CVE published 2026-03-10
CVE-2026-28806
CVE-2026-28806 is an Improper Authorization vulnerability in nerves-hub nerves_hub_web allowing cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.