CVE-2026-6411
Awaiting Analysis Awaiting Analysis - Queue
Hardcoded AES Key Leak in MAXHUB Pivot Client

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: ICS-CERT

Description
This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and related metadata from any tenant. Due to the presence of a hardcoded AES key within the application, the encrypted data can be decrypted, enabling access to tenant email addresses and associated information in cleartext. Furthermore, an attacker may be able to cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-6411
EUVD
EUVD-2026-28471
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
maxhub pivot to 1.36.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the MAXHUB Pivot client application versions prior to v1.36.2. It allows an attacker to obtain encrypted tenant email addresses and related metadata from any tenant.

Because the application contains a hardcoded AES key, the attacker can decrypt the encrypted data, gaining access to tenant email addresses and associated information in cleartext.

Additionally, an attacker may cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations.

Impact Analysis

This vulnerability can impact you by exposing sensitive tenant email addresses and related metadata, which could lead to privacy breaches or targeted attacks.

Furthermore, the ability to cause a denial-of-service condition by enrolling unauthorized devices could disrupt your tenant's operations, affecting availability and service continuity.

Compliance Impact

This vulnerability allows an attacker to obtain and decrypt tenant email addresses and related metadata due to a hardcoded AES key, leading to unauthorized access to sensitive personal information.

Such unauthorized access and potential exposure of personal data could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized disclosure.

Additionally, the possibility of a denial-of-service condition disrupting tenant operations may affect availability requirements under these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6411. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart