Vulnerability Description
An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.
Related Weaknesses (CWE)
References
- https://ostrichlab.io/research-blog/?post=hubitat_writeup
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06
FAQ
What is CVE-2026-1201?
CVE-2026-1201 is a documented vulnerability. An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connect...
How severe is CVE-2026-1201?
CVSS scoring is not yet available for CVE-2026-1201. Check NVD for updates.
Is there a patch for CVE-2026-1201?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.