EUVD-2026-28471
GHSA-m8jc-jjj9-hgc8
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionNVD
This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and related metadata from any tenant. Due to the presence of a hardcoded AES key within the application, the encrypted data can be decrypted, enabling access to tenant email addresses and associated information in cleartext. Furthermore, an attacker may be able to cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations.
AnalysisAI
Remote attackers can decrypt tenant email addresses and metadata, and trigger denial-of-service conditions in MAXHUB Pivot client versions prior to v1.36.2 via hardcoded AES encryption keys. The vulnerability (CWE-327: Broken/Risky Cryptographic Algorithm) enables complete bypass of data confidentiality controls without authentication due to embedded cryptographic secrets in the application binary. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all MAXHUB Pivot client deployments and identify systems running versions prior to v1.36.2; document affected device locations and associated business units. Within 7 days: Isolate or restrict network access to affected Pivot clients by implementing network segmentation or firewall rules limiting connectivity to trusted internal networks only; disable external access to these devices pending patch availability. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today