CVE-2026-28806
Published: 10 March 2026
Summary
CVE-2026-28806 is a critical-severity Improper Authorization (CWE-285) vulnerability in Nerves-Hub Nerveshub. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10904
Vulnerability details
Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other…
more
organizations and perform actions outside of their privilege level. An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity. In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices. This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization in web/API endpoints directly enables exploitation of public-facing app (T1190) and abuse of valid cloud accounts for unauthorized cross-org device actions (T1078.004).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires explicit authorization for individuals to use external systems to access or handle organization-controlled information.
It mandates explicit checks to confirm the sharing partner's authorizations align with the information's access and use restrictions.
Authorization checks via training and content reviews ensure only approved information is released to public systems.
Detects and blocks data mining attempts that violate intended authorization boundaries for data access.
Requires and applies authorization decisions specifically to control information flows based on policy.
Documenting security requirements and authorizing connections ensures correct authorization decisions.
Documenting access to processing and storage locations helps ensure correct authorization for information resources.
Limiting media access to authorized parties addresses improper authorization for resource access.