2.866.5
CVE-2026-3588 describes a server-side request forgery (SSRF) vulnerability discovered in the IKEA Dirigera Hub. This flaw allows an attacker to potentially exfiltrate sensitive private keys from the device by manipulating HTTP requests. The vulnerability impacts versions 0 through 2.866.4 of the Dirigera Hub, and a patch is expected to be released by IKEA.
The SSRF vulnerability in the IKEA Dirigera Hub poses a significant risk to user privacy and security. An attacker exploiting this flaw could craft malicious requests that cause the Dirigera Hub to send requests to internal or external resources, potentially exposing private keys stored on the device. Successful exploitation could lead to unauthorized access to connected smart home devices, data breaches, and potential compromise of the user's entire smart home ecosystem. The potential for lateral movement within a home network is also a concern if the Dirigera Hub acts as a central control point.
CVE-2026-3588 was publicly disclosed on 2026-03-09. The vulnerability's SSRF nature suggests potential for exploitation similar to other SSRF vulnerabilities where internal services or data are exposed. As of this writing, there are no known public proof-of-concept exploits. The vulnerability is not currently listed on CISA KEV, and the EPSS score is pending evaluation.
Users who rely on the IKEA Dirigera Hub as a central control point for their smart home devices are at risk. This includes individuals with complex smart home setups, those who have integrated the Dirigera Hub with other smart home platforms, and users who have not implemented robust network security measures.
disclosure
エクスプロイト状況
EPSS
0.03% (7% パーセンタイル)
CISA SSVC
CVSS ベクトル
While a patch is pending, several mitigation steps can be taken to reduce the risk. First, segment the network to isolate the Dirigera Hub from sensitive internal resources. Implement strict firewall rules to restrict outbound connections from the Hub to only necessary services. Regularly review network traffic logs for suspicious activity. Consider temporarily disabling any unnecessary features or integrations within the Dirigera Hub to minimize the attack surface. Once a patch is released by IKEA, apply it immediately. After upgrade, confirm by verifying the Dirigera Hub is running the latest firmware version through the IKEA Home smart app.
IKEA Dirigeraハブを2.866.4より後のバージョンにアップデートすることで、SSRF脆弱性を軽減できます。これにより、攻撃者が細工されたリクエストによって秘密鍵を外部に持ち出すことを防ぎます。最新のファームウェアとアップデート手順については、IKEAのウェブサイトを参照してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-3588 is a server-side request forgery vulnerability in the IKEA Dirigera Hub, allowing attackers to potentially exfiltrate private keys via crafted requests.
If you are using IKEA Dirigera Hub versions 0 through 2.866.4, you are potentially affected by this vulnerability.
Upgrade to the latest patched version of the IKEA Dirigera Hub as soon as it becomes available. Until then, implement network segmentation and firewall rules.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official IKEA support website and security advisories for updates and information regarding CVE-2026-3588.