New CVE-2026-1201 (platform vulnerability was fixed in Aug 2025)

πŸ“’ Feedback
1

I just got the notice about a new CVE against Hubitat. I am new to the forum and I have not seen much mentioned about CVE's.
CVE-2026-1201 if you search for it you will see the details.
Anyone else track CISA news?
thanks-

===========
An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.

2

Simple fix: Update to the current 2.4.3.177.

6 Likes
3

Please provide a link to this CVE. I cannot find it on the CISA site.

3 Likes
4

According to NIST it doesn't exist:
https://nvd.nist.gov/vuln/detail/CVE-2026-1201

and a search of the Database for Hubitat comes back not found.

1 Like
5

Are you sure about that?

image
image1206Γ—763 43.3 KB

image
image1206Γ—1108 75.2 KB

1 Like
6

Was just about to post the same thing.

1 Like
7

Hubitat posted about the issue a while ago, assuming it is the same thing since the version number impacted matches.

3 Likes
8

Verbiage used belongs to CWE-639 (CWE - CWE-639: Authorization Bypass Through User-Controlled Key (4.19.1)).

Looking further it appears that it was never issued a CVE, but it does appear in a research blog:
https://ostrichlab.io/research-blog/?post=hubitat_FA

(Which is what @jtp10181 is referencing above) and note the included timeline:

**Disclosure Timeline:**

Discovery: 2025-08-10

Reported to Vendor: 2025-08-12

Vendor Acknowledgment: 2025-08-16

Vendor Patch Release: 2025-08-28
3 Likes
9

I don't see the CVE either, but the news reporting is here (odd): cisa . gov news-events ics-advisories icsa-26-022-06
(I can't include links for some reason.)

1 Like
10

You need to be in the owners group to post links. It is a spam bot deterrent.

1 Like
11

FWIW, according to cve.org, the CVE id has been reserved by a CNA, but there is no corresponding CVE record ...

image
image2132Γ—1026 224 KB

12

This is legit, I've been communicating with a number of people at CERT Vulnerability Notes Database to acknowledge and to backfill the information. It's not public yet, as far as I can tell in VINCE.

The issue has been reported privately and is fixed in firmware build 2.4.2.157: Release 2.4.2 Available - #10 by gopher.ny.

In a nutshell, if you have a functioning link to a single dashboard, you can use some crafty ways to access other dashboards and to control devices that the original dashboard has no permissions to.

12 Likes
13

https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06

Edit: I like the fact that the category effected is:

  • Critical Infrastructure Sectors: Energy, Communications
5 Likes
14

On the topic of the CVE classification, I agree, I work in the energy generation industry and was surprised to find Hubitat listed in a group of other industrial control CVE's.

1 Like
15

Things can get pretty hot around here when some new gadget comes out. :wink:

Thanks for the details, Victor!

1 Like
16

More information available here:

2 Likes
17

Yes. I did initially report this to MITRE but with the current funding issues and the holidays, it never got processes. I re-reported this to CISA and it has now been assigned CVE-2026-1201. The write-up on how this vulnerability functions is linked in a post in this thread as well.

I am happy to answer any questions and will again reiterate that @gopher.ny and @bobbyD were helpful and quick to resolve this issue.

7 Likes
18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.