Skip to main content

Home Assistant CVE-2026-55844

| EUVDEUVD-2026-40119 HIGH
Cleartext Transmission of Sensitive Information (CWE-319)
2026-06-29 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

Token interception requires an attacker on the victim's insecure network (AV:A) and the non-default no-other-URL fallback condition (AC:H); impact is confidentiality-only token disclosure (C:H, I/A:N).

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 29, 2026 - 16:01 EUVD
Analysis Generated
Jun 29, 2026 - 15:19 vuln.today
CVE Published
Jun 29, 2026 - 14:19 cve.org
HIGH 7.5

DescriptionCVE.org

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2025.5.0, The iOS companion app ignores the SSID allowlist for internal networks. The app uses SSID to detect when to use the internal URL, but whenever the app cannot find any other URL to be used, it fallbacks to the internal URL as well, which can expose user's token when connected to a not secure network. This vulnerability is fixed in 2025.5.0.

AnalysisAI

Sensitive token disclosure affects the Home Assistant iOS companion app prior to 2025.5.0, where the app ignores the configured SSID allowlist meant to gate internal-network access. Because the app falls back to the internal URL whenever no other URL is available, it can transmit the user's authentication token to the internal endpoint while the device is connected to an untrusted or insecure Wi-Fi network, enabling interception. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Position on victim's insecure network
Exploit
App ignores SSID allowlist, falls back to internal URL
Execution
Intercept cleartext auth token in transit
Impact
Replay token for authenticated Home Assistant access

Vulnerability AssessmentAI

Exploitation Exploitation requires the iOS companion app (pre-2025.5.0) to be unable to resolve any other configured URL, triggering its fallback to the internal URL despite the SSID not matching the internal-network allowlist; the victim device must be connected to an insecure/untrusted network on which an attacker is positioned to eavesdrop the token in transit. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:H/I:N/A:N, 7.5) treats this as a remote, no-privilege confidentiality breach, but the described mechanism - token exposure when the victim's device is on an insecure network and the app falls back to the internal URL - implies an adjacent, man-in-the-middle/eavesdropping prerequisite rather than direct unauthenticated network exploitation, so the AV:N rating likely overstates reach; an AV:A assessment is more defensible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A Home Assistant user opens the iOS companion app while connected to an attacker-controlled or open public Wi-Fi network; with no usable external URL resolved, the app ignores the SSID allowlist and contacts the internal URL, transmitting the authentication token. An attacker positioned on that same network intercepts the cleartext token and replays it to gain authenticated access to the victim's Home Assistant instance. …
Remediation Vendor-released patch: 2025.5.0 - upgrade the Home Assistant iOS companion app to 2025.5.0 or later, per advisory GHSA-cm5v-547m-qh5h (https://github.com/home-assistant/core/security/advisories/GHSA-cm5v-547m-qh5h). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify iOS Home Assistant users in your environment and assess their connection patterns to untrusted networks; note that no public exploit has been identified at this time. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Core

View all
CVE-2020-15505 CRITICAL POC
9.8 Jul 07

A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,

CVE-2022-29777 CRITICAL POC
9.8 Jun 02

Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via t

CVE-2022-29776 CRITICAL POC
9.8 Jun 02

Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via

CVE-2021-38145 CRITICAL POC
9.8 Aug 31

An issue was discovered in Form Tools through 3.0.20. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2023-5192 MEDIUM POC
6.5 Sep 27

Excessive Data Query Operations in a Large Data Table in GitHub repository pimcore/demo prior to 10.3.0. Rated medium se

CVE-2021-38143 MEDIUM POC
6.1 Aug 31

An issue was discovered in Form Tools through 3.0.20. Rated medium severity (CVSS 6.1), this vulnerability is remotely e

CVE-2020-15506 CRITICAL
9.8 Jul 07

An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,

CVE-2021-38144 MEDIUM POC
5.4 Aug 31

An issue was discovered in Form Tools through 3.0.20. Rated medium severity (CVSS 5.4), this vulnerability is remotely e

CVE-2026-23514 HIGH
8.8 Mar 25

An access control vulnerability exists in Kiteworks Core versions 9.2.0 and 9.2.1 that allows authenticated users to acc

CVE-2024-14036 HIGH
8.7 Jun 02

Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-

CVE-2020-15235 HIGH
7.5 Oct 05

In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would norm

CVE-2020-15507 HIGH
7.5 Jul 07

An arbitrary file reading vulnerability in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2,

Share

CVE-2026-55844 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy