Cyber Resilience

CVE-2026-28806

Critical

Published: 10 March 2026

Published
10 March 2026
Modified
27 May 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0041 32.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28806 is a critical-severity Improper Authorization (CWE-285) vulnerability in Nerves-Hub Nerveshub. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other…

more

organizations and perform actions outside of their privilege level. An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity. In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices. This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078.004 Cloud Accounts Stealth
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Improper authorization in web/API endpoints directly enables exploitation of public-facing app (T1190) and abuse of valid cloud accounts for unauthorized cross-org device actions (T1078.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

nerves-hub
nerveshub
1.0.0 — 2.4.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-285 CWE-668

Requires explicit authorization for individuals to use external systems to access or handle organization-controlled information.

addresses: CWE-285 CWE-668

It mandates explicit checks to confirm the sharing partner's authorizations align with the information's access and use restrictions.

addresses: CWE-285 CWE-668

Authorization checks via training and content reviews ensure only approved information is released to public systems.

addresses: CWE-285 CWE-668

Detects and blocks data mining attempts that violate intended authorization boundaries for data access.

addresses: CWE-285 CWE-668

Requires and applies authorization decisions specifically to control information flows based on policy.

addresses: CWE-285 CWE-668

Documenting security requirements and authorizing connections ensures correct authorization decisions.

addresses: CWE-285 CWE-668

Documenting access to processing and storage locations helps ensure correct authorization for information resources.

addresses: CWE-285 CWE-668

Limiting media access to authorized parties addresses improper authorization for resource access.

References