PatchSiren

nerves-hub CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL nerves-hub CVE published 2026-03-10

CVE-2026-28806

CVE-2026-28806 is an Improper Authorization vulnerability in nerves-hub nerves_hub_web allowing cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.