HIGH🇵🇱 Wersja polska

CVE-2026-54317

CVSS 7.6v3.1pub. 2026-06-23upd. 2026-06-26

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant/components/konnected/__init__.py), that is marked as not requiring authentication (requires_auth = False). A comment next to that line says auth is instead handled "via the access token from configuration." That promise is only half true. Write requests (POST and PUT) are handled by update_sensor(), which does check the request's Authorization: Bearer <token> header against the integration's stored access tokens (using hmac.compare_digest). Read requests (GET) are handled by a separate get() method that has no authentication check at all. This vulnerability is fixed in 2026.6.0.

CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
  • Home Assistant

    APP
    Home-Assistant
    < 2026.6.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-27482CRITICAL10.0ten sam produkt

homeassistant is an open source home automation tool. A remotely exploitable vulnerability bypassing authentic...

CVE-2026-33045HIGH7.3ten sam produkt

Home Assistant is open source home automation software that puts local control and privacy first. Starting in ...

CVE-2026-33044HIGH7.3ten sam produkt

Home Assistant is open source home automation software that puts local control and privacy first. Starting in ...

CVE-2023-41897HIGH8.8ten sam produkt

Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers...

CVE-2023-41895HIGH8.8ten sam produkt

Home assistant is an open source home automation. The Home Assistant login page allows users to use their loca...