Platform
other
Component
dirigera
Fixed in
2.866.5
CVE-2026-3588 describes a server-side request forgery (SSRF) vulnerability discovered in the IKEA Dirigera Hub. This flaw allows an attacker to potentially exfiltrate sensitive private keys from the device by manipulating HTTP requests. The vulnerability impacts versions 0 through 2.866.4 of the Dirigera Hub, and a patch is expected to be released by IKEA.
The SSRF vulnerability in the IKEA Dirigera Hub poses a significant risk to user privacy and security. An attacker exploiting this flaw could craft malicious requests that cause the Dirigera Hub to send requests to internal or external resources, potentially exposing private keys stored on the device. Successful exploitation could lead to unauthorized access to connected smart home devices, data breaches, and potential compromise of the user's entire smart home ecosystem. The potential for lateral movement within a home network is also a concern if the Dirigera Hub acts as a central control point.
CVE-2026-3588 was publicly disclosed on 2026-03-09. The vulnerability's SSRF nature suggests potential for exploitation similar to other SSRF vulnerabilities where internal services or data are exposed. As of this writing, there are no known public proof-of-concept exploits. The vulnerability is not currently listed on CISA KEV, and the EPSS score is pending evaluation.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
While a patch is pending, several mitigation steps can be taken to reduce the risk. First, segment the network to isolate the Dirigera Hub from sensitive internal resources. Implement strict firewall rules to restrict outbound connections from the Hub to only necessary services. Regularly review network traffic logs for suspicious activity. Consider temporarily disabling any unnecessary features or integrations within the Dirigera Hub to minimize the attack surface. Once a patch is released by IKEA, apply it immediately. After upgrade, confirm by verifying the Dirigera Hub is running the latest firmware version through the IKEA Home smart app.
Update the IKEA Dirigera hub to a version later than 2.866.4 to mitigate the SSRF vulnerability. This will prevent an attacker from exfiltrating private keys via crafted requests. Refer to the IKEA website for the latest firmware version and update instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3588 is a server-side request forgery vulnerability in the IKEA Dirigera Hub, allowing attackers to potentially exfiltrate private keys via crafted requests.
If you are using IKEA Dirigera Hub versions 0 through 2.866.4, you are potentially affected by this vulnerability.
Upgrade to the latest patched version of the IKEA Dirigera Hub as soon as it becomes available. Until then, implement network segmentation and firewall rules.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official IKEA support website and security advisories for updates and information regarding CVE-2026-3588.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.