CVE-2026-1201 - Vulnerability Details - OpenCVE

An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hubitat	Elevation C3 Elevation C4 Elevation C5 Elevation C7 Elevation C8 Elevation C8 Pro

No data.

No data.

References

Link	Providers
https://www.spirityenterprise.com/virtual-ciso
https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06

History

Fri, 23 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hubitat Hubitat elevation C3 Hubitat elevation C4 Hubitat elevation C5 Hubitat elevation C7 Hubitat elevation C8 Hubitat elevation C8 Pro
Vendors & Products		Hubitat Hubitat elevation C3 Hubitat elevation C4 Hubitat elevation C5 Hubitat elevation C7 Hubitat elevation C8 Hubitat elevation C8 Pro

Thu, 22 Jan 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.
Title		Authorization Bypass Through User-Controlled Key in Hubitat Elevation Hubs
Weaknesses		CWE-639
References		https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06
Metrics		cvssV4_0 `{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-01-22T21:52:01.011Z

Updated: 2026-01-22T21:52:01.011Z

Reserved: 2026-01-19T14:29:21.551Z

Link: CVE-2026-1201

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-01-22T22:16:16.130

Modified: 2026-01-22T22:16:16.130

Link: CVE-2026-1201

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1201", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2026-01-19T14:29:21.551Z", "datePublished": "2026-01-22T21:52:01.011Z", "dateUpdated": "2026-01-22T21:52:01.011Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Elevation C3", "vendor": "Hubitat", "versions": [{"lessThan": "2.4.2.157", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Elevation C4", "vendor": "Hubitat", "versions": [{"lessThan": "2.4.2.157", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Elevation C5", "vendor": "Hubitat", "versions": [{"lessThan": "2.4.2.157", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Elevation C7", "vendor": "Hubitat", "versions": [{"lessThan": "2.4.2.157", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Elevation C8", "vendor": "Hubitat", "versions": [{"lessThan": "2.4.2.157", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Elevation C8 pro", "vendor": "Hubitat", "versions": [{"lessThan": "2.4.2.157", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Aaron 'theHastyOne' Hasty of Ostrich Lab reported this vulnerability to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.<br><br>"}], "value": "An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.4, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2026-01-22T21:52:01.011Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Hubitat has released the following for users to implement:<br><br>* Firmware version [2.4.2.157](<a target=\"_blank\" rel=\"nofollow\" href=\"https://community.hubitat.com/t/release-2-4-2-available/154531/10\">https://community.hubitat.com/t/release-2-4-2-available/154531/10</a>)<br>"}], "value": "Hubitat has released the following for users to implement:\n\n* Firmware version [2.4.2.157]( https://community.hubitat.com/t/release-2-4-2-available/154531/10 )"}], "source": {"discovery": "UNKNOWN"}, "title": "Authorization Bypass Through User-Controlled Key in Hubitat Elevation Hubs", "x_generator": {"engine": "Vulnogram 0.5.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation."}], "id": "CVE-2026-1201", "lastModified": "2026-01-22T22:16:16.130", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2026-01-22T22:16:16.130", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}