Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and webkit.messageHandlers.getExternalAuth (alongside revokeExternalAuth and externalBus) on iOS. Two flaws expose the bridge to all frames (including cross-origin iframes) and unsanitized interpolation of the JavaScript callback identifier allows a cross-origin iframe rendered inside the Companion app to execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin and exfiltrate the signed-in user's access token. This vulnerability is fixed in 2026.4.1 for iOS and 2026.4.4 for Android.
AnalysisAI
Cross-origin JavaScript injection in Home Assistant Companion apps for Android (before 2026.4.4) and iOS (before 2026.4.1) allows a malicious iframe loaded inside the app's WebView to execute arbitrary JavaScript in the Home Assistant frontend's origin and steal the signed-in user's access token. The flaw stems from exposing the native JavaScript bridge (window.externalApp on Android, webkit.messageHandlers.getExternalAuth on iOS) to all frames combined with unsanitized callback identifier interpolation. No public exploit identified at time of analysis, and the issue is not in CISA KEV.
Technical ContextAI
The vulnerability sits in the JavaScript bridge that the Companion apps inject into the in-app WKWebView (iOS) and Android WebView to give the Home Assistant frontend access to native capabilities such as authentication token retrieval (getExternalAuth/revokeExternalAuth) and event passing (externalBus). Two compounding defects map to CWE-94 (Improper Control of Generation of Code, i.e., code injection): first, the bridge handlers were attached without origin or frame isolation, so any nested or cross-origin iframe rendered inside the Companion app's WebView could invoke them; second, the callback identifier supplied by the JS caller was interpolated directly into the JavaScript executed back in the main frame, letting an attacker break out of the expected callback name and emit arbitrary code into the parent (home-assistant.io / local Home Assistant) origin. CPE strings indicate both the iOS Companion App (cpe:2.3:a:home_assistant:companion_app_(ios)) and Android Companion App (cpe:2.3:a:home_assistant:companion_app_(android)) packages are affected, with Home Assistant core (cpe:2.3:a:home-assistant:core) also enumerated as a related component.
RemediationAI
Vendor-released patches are available: upgrade the iOS Companion App to 2026.4.1 or later and the Android Companion App to 2026.4.4 or later via the App Store and Google Play, per the GitHub Security Advisory at https://github.com/home-assistant/core/security/advisories/GHSA-7jp2-p2fw-mgvf. Until users update, administrators should avoid embedding untrusted third-party content (webpage cards, iframe cards, custom Lovelace resources from unknown sources) in dashboards that are opened inside the Companion app, since the bridge is exposed to all frames - note this disables legitimate iframe/webpage integrations as a side effect. After patching, rotate or revoke long-lived access tokens issued to mobile users in case tokens were previously exfiltrated, accepting that this forces re-authentication on all client devices.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33317