Skip to main content

Home Assistant Android EUVDEUVD-2026-38553

| CVE-2026-54318 HIGH
Improper Export of Android Application Components (CWE-926)
2026-06-23 GitHub_M
7.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
vuln.today AI
7.1 HIGH

Local co-installed app with no permissions (AV:L, PR:N, UI:N) injects data that crosses into the Home Assistant server (S:C), affecting integrity only (I:H, C:N, A:N).

3.1 AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
Jun 23, 2026 - 20:01 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 18:32 vuln.today
Analysis Generated
Jun 23, 2026 - 18:32 vuln.today
CVE Published
Jun 23, 2026 - 17:40 cve.org
HIGH 7.1

DescriptionCVE.org

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.5.3, the LocationSensorManager BroadcastReceiver is exported with no permission. Any installed app, with zero runtime permissions, can broadcast a forged Google Play Services LocationResult directly to it; the receiver trusts the extra and forwards it to the user's Home Assistant server as the device's real location. This bypasses Android's developer-mode "Mock Location" gate and allows a local malicious app to drive zone-based automations (unlock door / disarm alarm / open garage) by faking the user's GPS position. This vulnerability is fixed in 2026.5.3.

AnalysisAI

Location spoofing in the Home Assistant Android companion app prior to 2026.5.3 allows any co-installed application - even one with zero runtime permissions - to forge the device's reported GPS position by broadcasting a crafted Google Play Services LocationResult to an unprotected exported BroadcastReceiver. The forged coordinates are forwarded to the user's Home Assistant server as the device's real location, defeating Android's developer-mode Mock Location gate and enabling abuse of zone-based automations such as unlocking doors, disarming alarms, or opening garages. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Install benign-looking Android app on victim device
Delivery
Craft Intent with forged LocationResult extra
Exploit
Broadcast to exported LocationSensorManager receiver
Execution
Companion app forwards spoofed coordinates to HA server
Persist
Zone-based automation fires on false 'home' presence
Impact
Smart lock disengages or alarm disarms

Vulnerability AssessmentAI

Exploitation Requires a malicious app to be installed on the same Android device as the Home Assistant companion app version prior to 2026.5.3, with the companion app actively signed in to a Home Assistant server and its location sensor enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N (7.1) accurately reflects an attack that is local to the device but requires no permissions or user interaction, with a scope change from the malicious app to the Home Assistant backend and integrity-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user installs a seemingly benign Android app (a flashlight, game, or utility) that requests no runtime permissions and therefore raises no red flags. In the background, the malicious app constructs an Intent targeting the Home Assistant companion's exported LocationSensorManager, attaches a forged Google Play Services LocationResult placing the device inside the 'Home' zone, and calls sendBroadcast; Home Assistant relays the spoofed coordinates to the server, which fires the user's 'arriving home' automation and unlocks the front door while the victim is away.
Remediation Vendor-released patch: upgrade the Home Assistant Android companion app to version 2026.5.3 or later, which unexports LocationSensorManager and introduces the RequestAccurateLocationReceiver proxy that drops attacker-supplied extras (see https://github.com/home-assistant/android/pull/6837 and advisory GHSA-77r5-pw5w-mgj3). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Home Assistant Android users and notify of vulnerability severity; begin staged testing of version 2026.5.3 in controlled environment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Core

View all
CVE-2020-15505 CRITICAL POC
9.8 Jul 07

A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,

CVE-2022-29777 CRITICAL POC
9.8 Jun 02

Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via t

CVE-2022-29776 CRITICAL POC
9.8 Jun 02

Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via

CVE-2021-38145 CRITICAL POC
9.8 Aug 31

An issue was discovered in Form Tools through 3.0.20. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2023-5192 MEDIUM POC
6.5 Sep 27

Excessive Data Query Operations in a Large Data Table in GitHub repository pimcore/demo prior to 10.3.0. Rated medium se

CVE-2021-38143 MEDIUM POC
6.1 Aug 31

An issue was discovered in Form Tools through 3.0.20. Rated medium severity (CVSS 6.1), this vulnerability is remotely e

CVE-2020-15506 CRITICAL
9.8 Jul 07

An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,

CVE-2021-38144 MEDIUM POC
5.4 Aug 31

An issue was discovered in Form Tools through 3.0.20. Rated medium severity (CVSS 5.4), this vulnerability is remotely e

CVE-2026-23514 HIGH
8.8 Mar 25

An access control vulnerability exists in Kiteworks Core versions 9.2.0 and 9.2.1 that allows authenticated users to acc

CVE-2024-14036 HIGH
8.7 Jun 02

Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-

CVE-2026-55844 HIGH
7.5 Jun 29

Sensitive token disclosure affects the Home Assistant iOS companion app prior to 2025.5.0, where the app ignores the con

CVE-2020-15235 HIGH
7.5 Oct 05

In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would norm

Share

EUVD-2026-38553 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy