Back to search
CVE-2026-1201
Published: Jan 22, 2026
Modified: Jan 29, 2026
PUBLISHED
Description
An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.
| Vendor | Product | Versions |
|---|---|---|
Hubitat | Elevation C3 | affected 0 - < 2.4.2.157 |
Hubitat | Elevation C4 | affected 0 - < 2.4.2.157 |
Hubitat | Elevation C5 | affected 0 - < 2.4.2.157 |
Hubitat | Elevation C7 | affected 0 - < 2.4.2.157 |
Hubitat | Elevation C8 | affected 0 - < 2.4.2.157 |
Hubitat | Elevation C8 pro | affected 0 - < 2.4.2.157 |
Weaknesses (CWE)
References
https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06
government-resource
https://ostrichlab.io/research-blog/?post=hubitat_writeup
technical-description
related
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now