Hubitat Patches Critical Authorization Bypass in Elevation Hubs
Take action: Make sure all Hubitat devices are isolated from the internet and accessible from trusted networks only. Also, limit the access only to trusted users and educate them on risks of malware, infostealers, password recycling and phishing. Then plan an update cycle for your Hubitat Elevation Hub to firmware version 2.4.2.157.
Learn More
CISA and Hubitat report a critical flaw in the Elevation Hub series that enables authenticated attackers to control devices.
The flaw is tracked as CVE-2026-1201 (CVSS score 9.1), authorization bypass flaw where authenticated user can control devices outside their scope by changing request keys. The hub trusts certain keys sent by the user's browser, so if an attacker changes these keys he can trick the hub into giving higher permissions.
Affected devices are Elevation C3, C4, C5, C7, C8, and C8 Pro.
Users should update your Hubitat hub to firmware version 2.4.2.157 or newer. CISA also recommends keeping these hubs off the public internet. Use a Virtual Private Network (VPN) if you need to access the hub from a remote location.
