CVE 9.4 CRITICAL

Authorization Bypass Through User-Controlled Key in Hubitat Elevation Hubs_CVE-2026-1201

January 25, 2026 invoker category_cve
9.4 / 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.

Basic Information

ID CVE-2026-1201
Source icscert
Published Jan 22, 2026 at 21:52
Modified Jan 23, 2026 at 20:12

Affected Product

Vendor Hubitat
Product Elevation C3
Affected Versions Hubitat Elevation C3 0
Hubitat Elevation C4 0
Hubitat Elevation C5 0
Hubitat Elevation C7 0
Hubitat Elevation C8 0
Hubitat Elevation C8 pro 0

CWE Classification

CWE-639

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.