CRITICAL🇵🇱 Wersja polska

CVE-2023-4617

CVSS 10.0v3.1pub. 2024-12-19upd. 2026-04-15

Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values.  This issue affects Govee Home applications on Android and iOS in versions before 5.9.

🤖 AI Analysis
How it works

The Govee Home application does not properly verify whether the user sending an HTTP POST request is the owner of the specified device. An attacker can modify the values of 'device', 'sku', and 'type' fields in the request body, providing identifiers of devices belonging to other users. This makes it possible to issue commands to others' devices without any authorization and without requiring victim interaction.

Impact

An attacker can gain full control over smart home devices of other users (e.g., lighting, home appliances), affecting their availability and operational integrity. The attack is possible remotely, without authentication, and without the device owner's knowledge.

Mitigation & patch

Update the Govee Home application to version 5.9 or later, available in Google Play Store and Apple App Store. Until the update is applied, it is recommended to limit the use of the application in public environments.

Who is affected

Govee Home application on Android and iOS in versions earlier than 5.9.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References