CVE-2026-1201 - Vulnerability Details

An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation none

Automatable yes

Technical Impact total

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Hubitat

Elevation C3

unaffected

Version	Status	Constraints
`0`	affected	< 2.4.2.157

Hubitat

Elevation C4

unaffected

Version	Status	Constraints
`0`	affected	< 2.4.2.157

Hubitat

Elevation C5

unaffected

Version	Status	Constraints
`0`	affected	< 2.4.2.157

Hubitat

Elevation C7

unaffected

Version	Status	Constraints
`0`	affected	< 2.4.2.157

Hubitat

Elevation C8

unaffected

Version	Status	Constraints
`0`	affected	< 2.4.2.157

Hubitat

Elevation C8 pro

unaffected

Version	Status	Constraints
`0`	affected	< 2.4.2.157

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Hubitat Subscribe	Elevation C3 Subscribe Elevation C4 Subscribe Elevation C5 Subscribe Elevation C7 Subscribe Elevation C8 Subscribe Elevation C8 Pro Subscribe

Project Subscriptions

Vendors	Products
Hubitat Subscribe	Elevation C3 Subscribe Elevation C4 Subscribe Elevation C5 Subscribe Elevation C7 Subscribe Elevation C8 Subscribe Elevation C8 Pro Subscribe

Advisories

No advisories yet.

Fixes

Solution

Hubitat has released the following for users to implement: * Firmware version [2.4.2.157]( https://community.hubitat.com/t/release-2-4-2-available/154531/10 )

Workaround

No workaround given by the vendor.

References

Link	Providers
https://ostrichlab.io/research-blog/?post=hubitat_writeup
https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06

History

Thu, 29 Jan 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://ostrichlab.io/research-blog/?post=hubitat_writeup

Fri, 23 Jan 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 23 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hubitat Hubitat elevation C3 Hubitat elevation C4 Hubitat elevation C5 Hubitat elevation C7 Hubitat elevation C8 Hubitat elevation C8 Pro
Vendors & Products		Hubitat Hubitat elevation C3 Hubitat elevation C4 Hubitat elevation C5 Hubitat elevation C7 Hubitat elevation C8 Hubitat elevation C8 Pro

Thu, 22 Jan 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.
Title		Authorization Bypass Through User-Controlled Key in Hubitat Elevation Hubs
Weaknesses		CWE-639
References		https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06
Metrics		cvssV4_0 `{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-01-22T21:52:01.011Z

Updated: 2026-01-29T16:51:31.043Z

Reserved: 2026-01-19T14:29:21.551Z

Link: CVE-2026-1201

Vulnrichment

Updated: 2026-01-23T20:12:43.981Z

NVD

Status : Awaiting Analysis

Published: 2026-01-22T22:16:16.130

Modified: 2026-01-29T17:16:23.307

Link: CVE-2026-1201

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-01-23T10:27:19Z

Weaknesses

CWE-639

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Exploitation none

Automatable yes

Technical Impact total

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object