Skip to main content

Home Assistant Companion CVE-2026-44698

| EUVD-2026-33317 HIGH
Code Injection (CWE-94)
2026-05-29 GitHub_M
RCE Google Apple Code Injection
8.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 29, 2026 - 15:01 EUVD
Analysis Generated
May 29, 2026 - 14:22 vuln.today
CVE Published
May 29, 2026 - 13:32 nvd
HIGH 8.3

DescriptionNVD

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and webkit.messageHandlers.getExternalAuth (alongside revokeExternalAuth and externalBus) on iOS. Two flaws expose the bridge to all frames (including cross-origin iframes) and unsanitized interpolation of the JavaScript callback identifier allows a cross-origin iframe rendered inside the Companion app to execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin and exfiltrate the signed-in user's access token. This vulnerability is fixed in 2026.4.1 for iOS and 2026.4.4 for Android.

AnalysisAI

Cross-origin JavaScript injection in Home Assistant Companion apps for Android (before 2026.4.4) and iOS (before 2026.4.1) allows a malicious iframe loaded inside the app's WebView to execute arbitrary JavaScript in the Home Assistant frontend's origin and steal the signed-in user's access token. The flaw stems from exposing the native JavaScript bridge (window.externalApp on Android, webkit.messageHandlers.getExternalAuth on iOS) to all frames combined with unsanitized callback identifier interpolation. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Audit current Home Assistant Companion app versions in use across the organization (vulnerable versions: Android before 2026.4.4, iOS before 2026.4.1). Within 7 days: Restrict Companion app usage to trusted networks where possible; monitor Home Assistant authentication logs for suspicious token access patterns and implement alerts. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-9872 CRITICAL
9.6 May 28

Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows remote attackers to corrupt GPU process memory
CVE-2026-9874 CRITICAL
9.6 May 28

Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to exploit a use-after-free co
CVE-2026-9886 CRITICAL
9.6 May 28

Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker to break out of the renderer s
CVE-2026-9918 CRITICAL
9.6 May 28

Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to break out of the renderer s
CVE-2026-9967 CRITICAL
9.6 May 28

Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to trigger an out-of-bounds wr

Share

CVE-2026-44698 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy