CVE-2026-1201

🗓️ 22 Jan 2026 21:52:01Reported by icscertType

CVE-2026-1201 enables authorization bypass on Hubitat Elevation hubs before 2.4.2.157, allowing remote authenticated users to control devices outside their scope via client-side requests.

Reporter	Title	Published	Views	Family All 10
ATTACKERKB	CVE-2026-1201	22 Jan 202621:52	–	attackerkb
Circl	CVE-2026-1201	22 Jan 202611:00	–	circl
CNNVD	Hubitat Elevation security vulnerability	22 Jan 202600:00	–	cnnvd
Cvelist	CVE-2026-1201 Authorization Bypass Through User-Controlled Key in Hubitat Elevation Hubs	22 Jan 202621:52	–	cvelist
EUVD	EUVD-2026-4204	23 Jan 202600:31	–	euvd
ICS	Hubitat Elevation Hubs	22 Jan 202607:00	–	ics
NVD	CVE-2026-1201	22 Jan 202622:16	–	nvd
Positive Technologies	PT-2026-4286	22 Jan 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-1201	24 Jan 202603:17	–	redhatcve
Vulnrichment	CVE-2026-1201 Authorization Bypass Through User-Controlled Key in Hubitat Elevation Hubs	22 Jan 202621:52	–	vulnrichment

Vulners

Node

hubitat elevation_c3Range<2.4.2.157

hubitat elevation_c4Range<2.4.2.157

hubitat elevation_c5Range<2.4.2.157

hubitat elevation_c7Range<2.4.2.157

hubitat elevation_c8Range<2.4.2.157

hubitat elevation_c8_proRange<2.4.2.157

[
  {
    "defaultStatus": "unaffected",
    "product": "Elevation C3",
    "vendor": "Hubitat",
    "versions": [
      {
        "lessThan": "2.4.2.157",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Elevation C4",
    "vendor": "Hubitat",
    "versions": [
      {
        "lessThan": "2.4.2.157",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Elevation C5",
    "vendor": "Hubitat",
    "versions": [
      {
        "lessThan": "2.4.2.157",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Elevation C7",
    "vendor": "Hubitat",
    "versions": [
      {
        "lessThan": "2.4.2.157",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Elevation C8",
    "vendor": "Hubitat",
    "versions": [
      {
        "lessThan": "2.4.2.157",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Elevation C8 pro",
    "vendor": "Hubitat",
    "versions": [
      {
        "lessThan": "2.4.2.157",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
ostrichlab	www.ostrichlab.io/research-blog/
cisa	www.cisa.gov/news-events/ics-advisories/icsa-26-022-06

15 Apr 2026 00:35Current

5.6Medium risk

Vulners AI Score5.6

CVSS 49.4

EPSS0.00022

SSVC

CWE-639