MAXHUB Pivot Client Vulnerability Exposes Tenant Emails, Allows DoS
The National Vulnerability Database (NVD) has detailed CVE-2026-6411, a high-severity vulnerability (CVSS 7.3) in MAXHUB Pivot client application versions prior to v1.36.2. This flaw stems from a hardcoded AES key within the application, a critical security misstep that attackers can exploit to decrypt tenant email addresses and associated metadata.
Attackers can obtain this encrypted data from any tenant and, armed with the hardcoded key, convert it into cleartext. This directly exposes sensitive organizational contact information. Beyond data exposure, the NVD warns that an attacker could also orchestrate a denial-of-service (DoS) condition by enrolling multiple unauthorized devices into a tenant via MQTT, severely disrupting operations.
Hardcoded cryptographic keys are an amateur mistake, yet they persist. For defenders, this isn’t just about patching; it’s about understanding the systemic risk of poorly implemented crypto. An attacker’s calculus here is simple: low effort for high impact, gaining both data and operational disruption capabilities without needing complex exploits.
What This Means For You
- If your organization uses MAXHUB Pivot client application, immediately verify your version. Prioritize upgrading to v1.36.2 or later to mitigate CVE-2026-6411. Beyond patching, assume any tenant email addresses handled by previous versions may be compromised and assess the downstream impact.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-6411 - MAXHUB Pivot Client Hardcoded AES Key Decryption
title: CVE-2026-6411 - MAXHUB Pivot Client Hardcoded AES Key Decryption
id: scw-2026-05-07-ai-1
status: experimental
level: high
description: |
Detects the execution of the MAXHUB Pivot client with command-line arguments indicative of attempting to decrypt tenant email addresses using the hardcoded AES key, as described in CVE-2026-6411. This is a primary indicator of exploitation for data exfiltration.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-6411/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'MAXHUB Pivot.exe'
CommandLine|contains:
- 'decrypt'
- 'AES'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-6411 | Information Disclosure | MAXHUB Pivot client application versions prior to v1.36.2 |
| CVE-2026-6411 | Information Disclosure | Hardcoded AES key within MAXHUB Pivot client application |
| CVE-2026-6411 | DoS | MAXHUB Pivot client application versions prior to v1.36.2 via MQTT unauthorized device enrollment |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 08, 2026 at 02:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8117 — SourceCodester Pizzafy Ecommerce System Vulnerability
CVE-2026-8117 — A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. This issue affects some unknown processing of the file /admin/index.php. Such...
CVE-2026-8116 — Unknown Code Of The File Src/Controllers/DxtController.Ts Path Traversal
CVE-2026-8116 — A weakness has been identified in huangjunsen0406 xiaozhi-mcphub up to 1.0.3. This vulnerability affects unknown code of the file src/controllers/dxtController.ts. This manipulation of...
CVE-2026-8115 — Gyoridavid Short-Video-Maker Path Traversal
CVE-2026-8115 — A security flaw has been discovered in gyoridavid short-video-maker up to 1.3.4. This affects an unknown part of the file src/server/routers/rest.ts of the...