CVE-2026-9568 LOW

CVE-2026-9568: ThingsBoard YAML provision getGatewayDockerComposeFile code injection

Vendor N/A
Product ThingsBoard
Weakness CWE-94 · Code injection
Published May 26, 2026
Last update May 27, 2026

CVSS base score

2.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X

What the vulnerability does

01Description

A weakness has been identified in ThingsBoard up to 4.3.1.1. Affected by this vulnerability is the function getGatewayDockerComposeFile of the file /api/v1/provision of the component YAML Handler. This manipulation causes code injection. It is possible to initiate the attack remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The project was informed of the problem early through a pull request but has not reacted yet.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
May 27, 2026 Record updated