EUVD-2026-31957
GHSA-96jf-2v3w-hrrp
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A weakness has been identified in ThingsBoard up to 4.3.1.1. Affected by this vulnerability is the function getGatewayDockerComposeFile of the file /api/v1/provision of the component YAML Handler. This manipulation causes code injection. It is possible to initiate the attack remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The project was informed of the problem early through a pull request but has not reacted yet.
AnalysisAI
Code injection in ThingsBoard 4.3.1.0 and 4.3.1.1 allows remote attackers to embed control characters and shell metacharacters into server-generated Docker Compose YAML files and MQTT publish commands via the /api/v1/provision endpoint's getGatewayDockerComposeFile and getMqttPublishCommand functions. Device credential fields - including clientId, userName, password, and credentialsId - are passed unsanitized into YAML and shell command construction, enabling injection of shell special characters such as $, backtick, and double-quote. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerable code path is reached when getGatewayDockerComposeFile() processes a gateway host value containing control characters, or when getMqttPublishCommand() processes MQTT credential fields (clientId, userName, password, or credentialsId) containing shell metacharacters such as $, backtick, backslash, or double-quote. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 2.3 accurately reflects low exploitability and limited impact: AC:H indicates high attack complexity, UI:P requires passive user interaction (an operator must view or execute the generated output), and all vulnerable-component impact metrics are rated Low (VC:L, VI:L, VA:L) with zero subsequent-scope impact (SC:N, SI:N, SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to the ThingsBoard provisioning API submits a device credential - such as a clientId containing $(malicious_command) or a backtick-delimited subshell - that gets embedded without escaping into a generated MQTT publish command displayed to an operator. When the operator copies and executes the displayed command in a terminal, the injected shell metacharacters trigger command substitution, achieving code execution on the operator's machine. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today