Ostrich Lab - Security Research

Hubitat Dashboard Privilege Escalation and Device Information Disclosure

2025-08-31

CVE ID: CVE-2026-1201

Severity: High (CVSS v3.1 Base Score: 9.1)

Affected Product(s):

Affected Software Versions: 2.2.4 until 2.4.2.157

Vulnerability Type: Incorrect Access Control / Privilege Escalation

Impact: An authenticated attacker with access to the Hubitat Dashboard can:

Description: The Hubitat Dashboard app design allows broad privilege escalation and information disclosure. By accessing a single dashboard link—even one with no devices configured—an attacker can manipulate client-side HTTP requests to control all devices associated with the hub, access encoded PINs, and discover device names.

Attack Vector:

Affected Component(s):

Reproduction Steps (safe, minimal):

Authenticate with the Hubitat Dashboard.

Observe the API requests sent when interacting with a dashboard link.

Modifying the JSON request body can allow access to devices outside the authenticated scope.

Mitigation / Recommendations:

Users should avoid sharing dashboard links until they have updated to release 2.4.2.157

Vendor Acknowledgment: Hubitat has acknowledged the vulnerability and has releaseed a patch to address this issue on 2025-08-28.

Disclosure Timeline:

Discovery: 2025-08-10

Reported to Vendor: 2025-08-12

Vendor Acknowledgment: 2025-08-16

Vendor Patch Release: 2025-08-28

90-day disclosure window: 2025-11-10

References:

Formal Advisory: https://ostrichlab.io/research-blog/?post=hubitat_FA

CISA Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06

Vunerability Write Up: https://ostrichlab.io/research-blog/?post=hubitat_writeup

Patch Release: https://community.hubitat.com/t/release-2-4-2-available/154531/8

Vendor Notifiction: https://community.hubitat.com/t/security-issue-in-hubitat-dashboards/156287

Credits: Aaron “theHastyOne” Hasty, Ostrich Lab