Description
An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.
References (2)
Core 2
Core References
Third Party Advisory, US Government Resource government-resource
https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06
Various Sources technical-description
related
https://ostrichlab.io/research-blog/?post=hubitat_writeup
Scores
CVSS v4
9.4
EPSS
0.0046
EPSS Percentile
36.6%
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-639
Status
published
Published
Jan 22, 2026
Tracked Since
Feb 18, 2026