CVE-2026-6411

HIGH

MAXHUB Pivot Client Application Use of a Broken or Risky Cryptographic Algorithm

Title source: cna

Description

This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and related metadata from any tenant. Due to the presence of a hardcoded AES key within the application, the encrypted data can be decrypted, enabling access to tenant email addresses and associated information in cleartext. Furthermore, an attacker may be able to cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations.

References (3)

Core 3

Core References

https://www.maxhub.com/en/support/

https://www.cisa.gov/news-events/ics-advisories/icsa-26-127-01

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-127-01.json

View Writeup ZIP pw:eip

Scores

CVSS v3 7.3

EPSS 0.0003

EPSS Percentile 7.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-327

Status published

Products (2)

MAXHUB/MAXHUB Pivot client application < 1.36.2

MAXHUB/MAXHUB Pivot client application 1.36.2

Published May 07, 2026

Tracked Since May 08, 2026