Skip to main content

Home Assistant Companion CVE-2026-44698

| EUVDEUVD-2026-33317 HIGH
Code Injection (CWE-94)
2026-05-29 GitHub_M
8.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 29, 2026 - 15:01 EUVD
Analysis Generated
May 29, 2026 - 14:22 vuln.today
CVE Published
May 29, 2026 - 13:32 nvd
HIGH 8.3

DescriptionGitHub Advisory

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and webkit.messageHandlers.getExternalAuth (alongside revokeExternalAuth and externalBus) on iOS. Two flaws expose the bridge to all frames (including cross-origin iframes) and unsanitized interpolation of the JavaScript callback identifier allows a cross-origin iframe rendered inside the Companion app to execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin and exfiltrate the signed-in user's access token. This vulnerability is fixed in 2026.4.1 for iOS and 2026.4.4 for Android.

AnalysisAI

Cross-origin JavaScript injection in Home Assistant Companion apps for Android (before 2026.4.4) and iOS (before 2026.4.1) allows a malicious iframe loaded inside the app's WebView to execute arbitrary JavaScript in the Home Assistant frontend's origin and steal the signed-in user's access token. The flaw stems from exposing the native JavaScript bridge (window.externalApp on Android, webkit.messageHandlers.getExternalAuth on iOS) to all frames combined with unsanitized callback identifier interpolation. No public exploit identified at time of analysis, and the issue is not in CISA KEV.

Technical ContextAI

The vulnerability sits in the JavaScript bridge that the Companion apps inject into the in-app WKWebView (iOS) and Android WebView to give the Home Assistant frontend access to native capabilities such as authentication token retrieval (getExternalAuth/revokeExternalAuth) and event passing (externalBus). Two compounding defects map to CWE-94 (Improper Control of Generation of Code, i.e., code injection): first, the bridge handlers were attached without origin or frame isolation, so any nested or cross-origin iframe rendered inside the Companion app's WebView could invoke them; second, the callback identifier supplied by the JS caller was interpolated directly into the JavaScript executed back in the main frame, letting an attacker break out of the expected callback name and emit arbitrary code into the parent (home-assistant.io / local Home Assistant) origin. CPE strings indicate both the iOS Companion App (cpe:2.3:a:home_assistant:companion_app_(ios)) and Android Companion App (cpe:2.3:a:home_assistant:companion_app_(android)) packages are affected, with Home Assistant core (cpe:2.3:a:home-assistant:core) also enumerated as a related component.

RemediationAI

Vendor-released patches are available: upgrade the iOS Companion App to 2026.4.1 or later and the Android Companion App to 2026.4.4 or later via the App Store and Google Play, per the GitHub Security Advisory at https://github.com/home-assistant/core/security/advisories/GHSA-7jp2-p2fw-mgvf. Until users update, administrators should avoid embedding untrusted third-party content (webpage cards, iframe cards, custom Lovelace resources from unknown sources) in dashboards that are opened inside the Companion app, since the bridge is exposed to all frames - note this disables legitimate iframe/webpage integrations as a side effect. After patching, rotate or revoke long-lived access tokens issued to mobile users in case tokens were previously exfiltrated, accepting that this forces re-authentication on all client devices.

Share

CVE-2026-44698 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy