Main Vulnerability Database Vulnerabilities #VU123635

Improper Authentication in Hue Bridge V2 - CVE-2026-3559

Published: March 9, 2026

Vulnerability identifier: #VU123635

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-3559

CWE-ID: CWE-287

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vendor: Philips

Affected software:
Hue Bridge V2

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error when processing authentication requests within the configuration of the SRP authentication mechanism in the HomeKit Accessory Protocol service. A remote attacker on the local network can bypass authentication process and gain unauthorized access to the application.

How to mitigate CVE-2026-3559

Install updates from vendor's website.

Sources

https://www.zerodayinitiative.com/advisories/ZDI-26-157/

Improper Authentication in Hue Bridge V2 - CVE-2026-3559

Detailed vulnerability description

How to mitigate CVE-2026-3559

Sources

Please verify you're human