Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant/components/konnected/__init__.py), that is marked as not requiring authentication (requires_auth = False). A comment next to that line says auth is instead handled "via the access token from configuration." That promise is only half true. Write requests (POST and PUT) are handled by update_sensor(), which does check the request's Authorization: Bearer <token> header against the integration's stored access tokens (using hmac.compare_digest). Read requests (GET) are handled by a separate get() method that has no authentication check at all. This vulnerability is fixed in 2026.6.0.
oryginał ENCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:LHome Assistant
APPHome-Assistant< 2026.6.0
Powiązane podatności
homeassistant is an open source home automation tool. A remotely exploitable vulnerability bypassing authentic...
Home Assistant is open source home automation software that puts local control and privacy first. Starting in ...
Home Assistant is open source home automation software that puts local control and privacy first. Starting in ...
Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers...
Home assistant is an open source home automation. The Home Assistant login page allows users to use their loca...