HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-36537Published Modified CNA mitre

CVE-2026-36537: ThingsBoard v4

ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability affects ThingsBoard v4.3.0.1, specifically in the OAuth authorization code exchange flow. A remote attacker with no credentials can manipulate the email address in the user-supplied JSON object sent to the /login/oauth2/code/ endpoint to impersonate any existing account. Successful exploitation gives the attacker complete control over the targeted account, including full read, write, and administrative access to whatever that account can reach. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle ThingsBoard v4.3.0.1.

Available
Triage

HarborGuard scores this finding at CVSS 9.8 (Critical) and is capable of applying per-environment compliance policy weighting to adjust priority and route alerts to the appropriate team inbox within each customer organization.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without any manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the ThingsBoard service via HTTP/S from a remote location.

  • AuthenticationNot required

    No credentials of any kind are needed; the attacker supplies a crafted unauthenticated request to the OAuth callback endpoint.

  • Victim interactionNot required

    The attack is fully self-contained and does not require any action from a legitimate user or administrator.

  • Attack complexityDetail

    The exploit is reliable and condition-free: the attacker only needs to craft a JSON payload with a target email address, with no race conditions or environmental dependencies involved.

Blast Radius

  • Attacker gains full authenticated session as any chosen account, including administrator accounts, without knowing the account password.
  • Reads all data accessible to the compromised account, including device telemetry, dashboards, API keys, and stored credentials for integrated systems.
  • Modifies or deletes device configurations, rules, dashboards, and tenant settings within the scope of the hijacked account.
  • Disrupts platform operations by altering or removing critical automation rules and device pipelines under the compromised account.

How HarborGuard Handles This

Available on HarborGuard: because no fix version exists for this CVE at the time of publication, the platform monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically when the upstream ThingsBoard maintainer releases a remediated version. For customers with auto-remediation enabled, that rebuild will trigger a regression-test run and open a PR against affected workloads without manual steps. In the meantime, HarborGuard flags all images containing ThingsBoard v4.3.0.1 as critically vulnerable. Recommended compensating controls while waiting for an upstream patch include isolating the ThingsBoard service behind a network policy that restricts access to the /login/oauth2/code/ endpoint, applying egress filtering to limit lateral movement from a compromised instance, and disabling OAuth login in favor of an alternative authentication method if the platform supports feature-flag gating of that flow. Where compliance policy permits, auto-remediation configuration can be reviewed in the HarborGuard dashboard under the policy settings for the relevant environment.

See how HarborGuard automates this
Affected packages
  • n/a / n/a
    n/a
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References