MAXHUB Pivot Client Application Use of a Broken or Risky...

7.3 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

This vulnerability, in the MAXHUB Pivot client application versions
prior to v1.36.2, may allow an attacker to obtain encrypted tenant email
addresses and related metadata from any tenant. Due to the presence of a
hardcoded AES key within the application, the encrypted data can be
decrypted, enabling access to tenant email addresses and associated
information in cleartext. Furthermore, an attacker may be able to cause a
denial-of-service condition by enrolling multiple unauthorized devices
into a tenant via MQTT, potentially disrupting tenant operations.

Basic Information

ID CVE-2026-6411

Source icscert

Published May 7, 2026 at 22:25

Affected Product

Vendor MAXHUB

Product MAXHUB Pivot client application

Affected Versions MAXHUB MAXHUB Pivot client application 0

CWE Classification

CWE-327

References

{
    "lastseen": "",
    "description": "This vulnerability, in the MAXHUB Pivot client application versions \nprior to v1.36.2, may allow an attacker to obtain encrypted tenant email\n addresses and related metadata from any tenant. Due to the presence of a\n hardcoded AES key within the application, the encrypted data can be \ndecrypted, enabling access to tenant email addresses and associated \ninformation in cleartext. Furthermore, an attacker may be able to cause a\n denial-of-service condition by enrolling multiple unauthorized devices \ninto a tenant via MQTT, potentially disrupting tenant operations.",
    "published": "2026-05-07T22:25:54.959Z",
    "modified": "2026-05-07T22:25:54.959Z",
    "type": "cve",
    "title": "MAXHUB Pivot Client Application Use of a Broken or Risky Cryptographic Algorithm",
    "source": "icscert",
    "references": "https://www.maxhub.com/en/support/\nhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-127-01\nhttps://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-127-01.json",
    "id": "CVE-2026-6411",
    "bulletinFamily": "",
    "cwe": [
        "CWE-327"
    ],
    "cvelist": null,
    "sourceData": "MAXHUB MAXHUB Pivot client application 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.3,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MAXHUB Pivot client application",
    "version": "0",
    "vendor": "MAXHUB",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

MAXHUB Pivot Client Application Use of a Broken or Risky Cryptographic Algorithm_CVE-2026-6411