EUVD-2026-16793CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Description
Home Assistant is open source home automation software that puts local control and privacy first. Home Assistant apps (formerly add-ons) configured with host network mode expose unauthenticated endpoints bound to the internal Docker bridge interface to the local network. On Linux, this configuration does not restrict access to the app as intended, allowing any device on the same network to reach these endpoints without authentication. Home Assistant Supervisor 2026.03.02 addresses the issue.
Analysis
Unauthenticated network access to Home Assistant apps bypasses intended Docker isolation on Linux systems, exposing internal services to any device on the local network. Apps configured with host network mode inadvertently bind internal Docker bridge endpoints to the broader LAN without authentication controls, enabling unauthorized access with high confidentiality, integrity, and availability impact (CVSS 9.6). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Home Assistant Supervisor instances running versions prior to 2026.03.02 and assess network architecture (verify if host network mode is enabled). Within 7 days: Apply vendor-released patch to Home Assistant Supervisor 2026.03.02 or later on all affected systems; if patching is not immediately feasible, implement Layer 2/3 network segmentation to isolate Home Assistant instances from general-purpose LAN. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today