MAXHUB Pivot Client Vulnerability Allows Email Data Exposure and DoS
CISA has disclosed a vulnerability in the MAXHUB Pivot client application (versions prior to v1.36.2) that could allow attackers to access tenant email addresses and associated information in cleartext, or cause a denial-of-service condition. The vulnerability, tracked as CVE-2026-6411, stems from the use of a hardcoded AES key within the application, which enables an attacker to decrypt encrypted tenant email addresses and metadata. Additionally, the flaw may permit an attacker to enroll multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations. The affected product is the MAXHUB Pivot client application, widely deployed in the Information Technology sector across worldwide markets. The vulnerability has a CVSS v3 base score of 7.3, indicating a high severity. The vendor, MAXHUB, with headquarters in the United States, has released version v1.36.2 to address the issue. CISA recommends users update to the latest version and implement network segmentation, firewalls, and secure remote access methods to mitigate risk. For wallet and key holders, this vulnerability is not directly related to cryptocurrency or digital asset security. However, it highlights the broader risk of hardcoded cryptographic keys in software, which could compromise sensitive user data. Users of MAXHUB Pivot should update the application promptly to prevent email address exposure and potential denial-of-service attacks. Organizations using this software should review their network security practices and consider additional measures such as VPNs and network isolation to protect against exploitation.
Key facts
- Hardcoded AES key in MAXHUB Pivot client enables decryption of tenant email addresses.
- Vulnerability (CVE-2026-6411) allows unauthorized device enrollment via MQTT, causing DoS.
- Affects versions prior to v1.36.2; patch released by vendor.
- CVSS v3 score 7.3 (High severity); impacts Information Technology sector globally.
- No known public exploitation reported as of initial disclosure date.