Homebox
CVE-2026-27981
HIGH
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr (TCP connection address). These headers were read unconditionally. An attacker connecting directly to Homebox could forge any value in X-Real-IP, effectively getting a fresh rate limit identity per request. There is a TrustProxy option in the configuration (Options.TrustProxy, default false), but this option was never read by any middleware or rate limiter code. Additionally, chi's middleware.RealIP was applied unconditionally in main.go, overwriting r.RemoteAddr with the forged header value before it reaches any handler. This vulnerability is fixed in 0.24.0.
AnalysisAI
Homebox prior to version 0.24.0 fails to validate the TrustProxy configuration setting, allowing attackers to bypass authentication rate limiting by forging the X-Real-IP header on direct connections. This enables an attacker to attempt unlimited authentication attempts by spoofing a different IP address for each request, compromising both confidentiality and integrity of the system. The vulnerability affects all Homebox installations where the TrustProxy option is disabled or misconfigured.
Technical ContextAI
This vulnerability (CWE-307: Improper Restriction of Excessive Authentication Attempts) affects Homebox. HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr (TCP connection address). These headers were read unconditionally. An attacker connecting directly to Homebox could forge any value in X-Real-IP, effectively getting a fresh rate limit identity per request. There is a T
RemediationAI
Fixed in version 0.24.0.. Restrict network access to the affected service where possible.
Broken access control in HomeBox prior to 0.25.0 allows authenticated users with revoked group access to continue perfor
Homebox prior to 0.24.0-rc.1 allows authenticated users to trigger HTTP POST requests to arbitrary destinations through
Stored XSS in Homebox prior to 0.24.0-rc.1 allows authenticated users to upload malicious HTML or SVG files containing e
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today