CVE-2026-1201 | THREATINT

Description

An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.

PUBLISHED Reserved 2026-01-19 | Published 2026-01-22 | Updated 2026-01-29 | Assigner icscert

CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status

unaffected

Any version before 2.4.2.157

affected

Default status

unaffected

Any version before 2.4.2.157

affected

Default status

unaffected

Any version before 2.4.2.157

affected

Default status

unaffected

Any version before 2.4.2.157

affected

Default status

unaffected

Any version before 2.4.2.157

affected

Default status

unaffected

Any version before 2.4.2.157

affected

Credits

Aaron 'theHastyOne' Hasty of Ostrich Lab reported this vulnerability to CISA. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-26-022-06 government-resource

ostrichlab.io/research-blog/?post=hubitat_writeup technical-description related

cve.org (CVE-2026-1201)

nvd.nist.gov (CVE-2026-1201)

Download JSON