Code Injection Vulnerability in ThingsBoard by ThingsBoard
CVE-2026-9568

2.3LOW

Key Information:

Vendor

ThingsBoard

Status
Thingsboard
Vendor
CVE Published:
26 May 2026

What is CVE-2026-9568?

A code injection vulnerability has been discovered in ThingsBoard versions up to 4.3.1.1, specifically within the getGatewayDockerComposeFile function located in the /api/v1/provision endpoint of the YAML Handler component. This vulnerability enables attackers to perform remote code injection attacks, exploiting the system's functionality to execute arbitrary code. Although the threat is notable and has been acknowledged through community discussions, the vendor has yet to provide a remediation response despite early awareness of the issue via a pull request.

Affected Version(s)

ThingsBoard 4.3.1.0

ThingsBoard 4.3.1.1

References

https://vuldb.com/vuln/365630
vdb-entrytechnical-description
https://vuldb.com/vuln/365630/cti
signaturepermissions-required
https://vuldb.com/submit/817064
third-party-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

sunshinetoyou (VulDB User)
VulDB CNA Team
.