Home

Description

This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and related metadata from any tenant. Due to the presence of a hardcoded AES key within the application, the encrypted data can be decrypted, enabling access to tenant email addresses and associated information in cleartext. Furthermore, an attacker may be able to cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations.

PUBLISHED Reserved 2026-04-15 | Published 2026-05-07 | Updated 2026-05-08 | Assigner icscert




HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Problem types

CWE-327

Product status

Default status
unaffected

Any version before 1.36.2
affected

1.36.2
unaffected

Credits

Malik MAKKES and Yassine BENGANA of Abicom Groupe OCI reported this vulnerability to MAXHUB. finder

References

www.maxhub.com/en/support/

www.cisa.gov/news-events/ics-advisories/icsa-26-127-01

github.com/...p/csaf_files/OT/white/2026/icsa-26-127-01.json

cve.org (CVE-2026-6411)

nvd.nist.gov (CVE-2026-6411)

Download JSON