Severity by source
AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Local co-installed app with no permissions (AV:L, PR:N, UI:N) injects data that crosses into the Home Assistant server (S:C), affecting integrity only (I:H, C:N, A:N).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.5.3, the LocationSensorManager BroadcastReceiver is exported with no permission. Any installed app, with zero runtime permissions, can broadcast a forged Google Play Services LocationResult directly to it; the receiver trusts the extra and forwards it to the user's Home Assistant server as the device's real location. This bypasses Android's developer-mode "Mock Location" gate and allows a local malicious app to drive zone-based automations (unlock door / disarm alarm / open garage) by faking the user's GPS position. This vulnerability is fixed in 2026.5.3.
AnalysisAI
Location spoofing in the Home Assistant Android companion app prior to 2026.5.3 allows any co-installed application - even one with zero runtime permissions - to forge the device's reported GPS position by broadcasting a crafted Google Play Services LocationResult to an unprotected exported BroadcastReceiver. The forged coordinates are forwarded to the user's Home Assistant server as the device's real location, defeating Android's developer-mode Mock Location gate and enabling abuse of zone-based automations such as unlocking doors, disarming alarms, or opening garages. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a malicious app to be installed on the same Android device as the Home Assistant companion app version prior to 2026.5.3, with the companion app actively signed in to a Home Assistant server and its location sensor enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N (7.1) accurately reflects an attack that is local to the device but requires no permissions or user interaction, with a scope change from the malicious app to the Home Assistant backend and integrity-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user installs a seemingly benign Android app (a flashlight, game, or utility) that requests no runtime permissions and therefore raises no red flags. In the background, the malicious app constructs an Intent targeting the Home Assistant companion's exported LocationSensorManager, attaches a forged Google Play Services LocationResult placing the device inside the 'Home' zone, and calls sendBroadcast; Home Assistant relays the spoofed coordinates to the server, which fires the user's 'arriving home' automation and unlocks the front door while the victim is away. |
| Remediation | Vendor-released patch: upgrade the Home Assistant Android companion app to version 2026.5.3 or later, which unexports LocationSensorManager and introduces the RequestAccurateLocationReceiver proxy that drops attacker-supplied extras (see https://github.com/home-assistant/android/pull/6837 and advisory GHSA-77r5-pw5w-mgj3). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Home Assistant Android users and notify of vulnerability severity; begin staged testing of version 2026.5.3 in controlled environment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via t
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via
An issue was discovered in Form Tools through 3.0.20. Rated critical severity (CVSS 9.8), this vulnerability is remotely
Excessive Data Query Operations in a Large Data Table in GitHub repository pimcore/demo prior to 10.3.0. Rated medium se
An issue was discovered in Form Tools through 3.0.20. Rated medium severity (CVSS 6.1), this vulnerability is remotely e
An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,
An issue was discovered in Form Tools through 3.0.20. Rated medium severity (CVSS 5.4), this vulnerability is remotely e
An access control vulnerability exists in Kiteworks Core versions 9.2.0 and 9.2.1 that allows authenticated users to acc
Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-
Sensitive token disclosure affects the Home Assistant iOS companion app prior to 2025.5.0, where the app ignores the con
In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would norm
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38553