CVE-2026-9568
Code Injection in ThingsBoard via YAML Handler
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thingsboard | thingsboard | to 4.3.1.1 (inc) |
| thingsboard | thingsboard | to 4.3.1.1 (exc) |
| thingsboard | thingsboard | 4.2.2.2 |
| thingsboard | thingsboard | 4.2.2.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9568 is a vulnerability in ThingsBoard up to version 4.3.1.1 involving the function getGatewayDockerComposeFile in the YAML Handler component. It allows for code injection through manipulation of the YAML configuration used in the gateway's docker-compose file.
The vulnerability is a YAML injection issue that can be exploited remotely, although the attack complexity is high and exploitation is considered difficult.
A pull request was created to fix this by improving device credential validation and adding sanitization logic to prevent injection attacks related to CWE-93 and CWE-94.
How can this vulnerability impact me? :
This vulnerability can lead to remote code injection, which may allow an attacker to execute arbitrary code on the affected system.
Successful exploitation could compromise the integrity and availability of the ThingsBoard platform, potentially leading to unauthorized control over IoT devices managed by the platform.
However, the attack complexity is high and exploitation is difficult, which may reduce the likelihood of successful attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves a YAML injection issue in the ThingsBoard gateway's docker-compose configuration, specifically in the getGatewayDockerComposeFile function. Detection would involve inspecting the docker-compose files or monitoring for unusual or unauthorized YAML content injections in the /api/v1/provision endpoint.
However, no specific detection commands or network/system scanning instructions are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the fix introduced in the pull request #15550, which enhances device credential validation and adds sanitization logic to prevent YAML injection vulnerabilities.
Updating ThingsBoard to versions 4.2.2.2 or 4.2.2.3 (or later) where this fix is applied is recommended.
Since the vulnerability is rated with high attack complexity and difficult exploitation, limiting access to the /api/v1/provision endpoint and monitoring for suspicious activity can also help mitigate risk until the update is applied.