PatchSiren

ThingsBoard CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH ThingsBoard CVE published 2026-06-17

CVE-2026-53676

CVE-2026-53676 is a high-severity vulnerability in ThingsBoard that allows for arbitrary code execution within a sandboxed context by a user with tenant administrator privileges. The vulnerability is caused by a prototype pollution issue. This issue can lead to significant operational impact, especially in environments where tenant administrator privileges are widespread. Users should review their exposur [truncated]

CRITICAL ThingsBoard CVE published 2026-06-15

CVE-2026-36537

CVE-2026-36537 is an authentication bypass vulnerability in ThingsBoard v4.3.0.1. The vulnerability occurs during the OAuth authorization code exchange, where the application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to a [truncated]

LOW ThingsBoard CVE published 2026-05-26

CVE-2026-9568

A code injection vulnerability exists in ThingsBoard versions up to 4.3.1.1, specifically within the `getGatewayDockerComposeFile` function accessible via the `/api/v1/provision` endpoint. The vulnerability stems from improper handling of YAML input, allowing an attacker to inject and execute arbitrary code. The attack vector is network-based but requires high complexity and user interaction, resulting in [truncated]