CVE-2026-1201

Summary

An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.

Affected Software

VendorProductVersion RangeStatus
HubitatElevation C30 < 2.4.2.157affected
HubitatElevation C40 < 2.4.2.157affected
HubitatElevation C50 < 2.4.2.157affected
HubitatElevation C70 < 2.4.2.157affected
HubitatElevation C80 < 2.4.2.157affected
HubitatElevation C8 pro0 < 2.4.2.157affected

Weaknesses

  • CWE-639: CWE-639 Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References