Skip to main content

ThingsBoard CVE-2026-53676

| EUVDEUVD-2026-37828 HIGH
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-06-17 jpcert GHSA-prc2-x3qx-38m9
8.6
CVSS 4.0 · Vendor: jpcert
Share

Severity by source

Vendor (jpcert) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.2 HIGH

Network-reachable API, low complexity, requires TENANT_ADMIN (PR:H), no UI; sandbox escape crosses trust boundary into host js-executor process so S:C with full CIA impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Primary rating from Vendor (jpcert).

CVSS VectorVendor: jpcert

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 18, 2026 - 03:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 18, 2026 - 03:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 18, 2026 - 03:38 vuln.today
cvss_changed
CVSS changed
Jun 18, 2026 - 03:38 NVD
7.2 (HIGH) 8.6 (HIGH)
Source Code Evidence Fetched
Jun 17, 2026 - 23:30 vuln.today
Analysis Generated
Jun 17, 2026 - 23:30 vuln.today

DescriptionCVE.org

ThingsBoard contains a prototype pollution vulnerability which may lead to arbitrary code execution within a sandboxed context by a user who can log in to the affected product with the tenant administrator privilege (TENANT_ADMIN).

AnalysisAI

Sandbox escape via prototype pollution in ThingsBoard (versions prior to v4.3.1.2) allows a TENANT_ADMIN-authenticated user to achieve arbitrary code execution within the tb-js-executor sandboxed JavaScript context. The flaw lets a rule-chain script reach the host realm through the args.constructor.constructor chain (e.g., synthesizing a Function that returns process), defeating the intended VM isolation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain TENANT_ADMIN credentials
Delivery
Authenticate to ThingsBoard API
Exploit
Submit crafted script to /api/ruleChain/testScript
Execution
Traverse args.constructor.constructor prototype chain
Persist
Synthesize Function returning host process
Impact
Execute arbitrary code on tb-js-executor host

Vulnerability AssessmentAI

Exploitation Requires an authenticated session with the TENANT_ADMIN role on a ThingsBoard instance prior to v4.3.1.2; CUSTOMER role is insufficient (the patch adds a separate test confirming `/api/ruleChain/testScript` is forbidden for customers). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N, VC:H/VI:H/VA:H, base 8.6) reflects a remote, low-complexity attack that nevertheless requires high privileges - specifically a logged-in TENANT_ADMIN - which materially limits the population of viable attackers to insiders or attackers who have already compromised tenant credentials. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained TENANT_ADMIN credentials (via phishing, credential reuse, or as a malicious insider on a shared ThingsBoard instance) submits a crafted rule-chain test script through POST /api/ruleChain/testScript containing `args.constructor.constructor('return process')()`, which traverses the polluted prototype chain to obtain the host Node.js `process` global. From there the script can spawn child processes, read environment variables (including database credentials), or pivot from the tb-js-executor microservice into the wider ThingsBoard cluster. …
Remediation Vendor-released patch: ThingsBoard v4.3.1.2 - upgrade to this version or later, which contains the JsExecutor sandbox hardening from PR https://github.com/thingsboard/thingsboard/pull/15600 and the accompanying regression test. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all ThingsBoard deployments, document versions, and restrict TENANT_ADMIN role assignment to absolutely necessary personnel. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

CVE-2026-53676 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy