Critical vulnerability allows attackers to decrypt tenant email addresses and cause denial-of-service conditions
Summary
- MAXHUB Pivot client application contains hardcoded AES encryption key exposing tenant email addresses
- Attackers can decrypt sensitive data and enrol unauthorised devices to disrupt operations
- Update to version 1.36.2 or newer available via OTA to remediate the vulnerability
A critical vulnerability in MAXHUB Pivot client application allows attackers to access tenant email addresses and associated information in cleartext, according to a CISA advisory published this week.
The vulnerability, tracked as CVE-2026-6411, affects versions prior to v1.36.2 of the collaboration software. The flaw stems from a hardcoded AES encryption key embedded within the application, enabling attackers to decrypt what should be protected tenant data.
Technical details
The vulnerability carries a CVSS score of 7.3, classified as high severity. Attackers can exploit the flaw remotely without authentication or user interaction, according to the CISA advisory.
Beyond data exposure, attackers may cause denial-of-service conditions by enrolling multiple unauthorised devices into a tenant via MQTT protocol. This could potentially disrupt tenant operations across affected deployments.
The vulnerability is classified under CWE-327: Use of a Broken or Risky Cryptographic Algorithm, highlighting fundamental flaws in the application’s security architecture.
Affected systems
MAXHUB Pivot is deployed worldwide across information technology sectors. The vulnerability affects all versions of the client application prior to v1.36.2, according to CISA.
MAXHUB, headquartered in the United States, has released remediation through an over-the-air update to version 1.36.2.
Current threat status
MAXHUB reports no awareness of public exploitation of this vulnerability at this time, according to the CISA advisory.
Users running version 1.36.2 or later are not affected but should maintain current versions as standard practice.
Why It Matters
This vulnerability represents a fundamental cryptographic failure affecting collaboration software that may handle sensitive corporate communications. The hardcoded key issue suggests poor security development practices that could extend beyond this single flaw.
For CISOs, this highlights the importance of vendor security assessments for collaboration tools, particularly those handling email addresses and operational metadata that could facilitate targeted attacks.
What To Do Now
- Update MAXHUB Pivot client application to version 1.36.2 or newer via the available OTA update
- Verify current version status across all deployed instances
- Consult MAXHUB support page for additional guidance
- Ensure ongoing maintenance of latest application versions
