CVE-2026-1201

N/A Unknown
Published: January 22, 2026 Modified: January 29, 2026
View on NVD

Description

An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://ostrichlab.io/research-blog/?post=hubitat_writeup
Source: ics-cert@hq.dhs.gov
https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06
Source: ics-cert@hq.dhs.gov

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
N/A / 10.0
EPSS (Exploit Probability)
0.0%
5th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-639

Related CVEs

CVE-2026-4315 N/A
CVE-2026-4266 N/A
CVE-2026-4425 N/A
CVE-2019-25655 6.2
CVE-2019-25654 7.5