CVE-2026-27796
Information Disclosure via Publicly Exposed tRPC Endpoint in Homarr Dashboard
Publication date: 2026-03-07
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| homarr | homarr | to 1.54.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-27796 is an information disclosure vulnerability in the open-source dashboard Homarr, affecting versions prior to 1.54.0.
The vulnerability arises because the integration.all tRPC endpoint was exposed as a publicProcedure, meaning it did not require authentication.
This allowed unauthenticated users to retrieve a complete list of configured integrations, including sensitive metadata such as internal service URLs, integration names, and service types.
This exposure leaks internal network topology and service discovery information, which could be used for further targeted attacks.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive internal information about your Homarr integrations to unauthenticated users.
- Leakage of internal service URLs, including IP addresses and hostnames.
- Disclosure of integration names and service types.
- Exposure of internal network topology and service discovery details.
Such information disclosure increases the risk of targeted attacks against your internal services by malicious actors.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the vulnerable integration.all tRPC endpoint without authentication and observing if it returns sensitive integration data.'}, {'type': 'paragraph', 'content': 'A suggested command to test this is a curl GET request to the endpoint, which if successful, returns a JSON array of configured integrations including sensitive internal URLs and service information.'}, {'type': 'list_item', 'content': 'curl -G \'http://127.0.0.1:7575/api/trpc/integration.all\' --data-urlencode \'batch=1\' --data-urlencode \'input={"0":{"json":null,"meta":{"values":["undefined"]}}}\''}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, upgrade Homarr to version 1.54.0 or later, where the integration.all endpoint and related API procedures have been changed from public to protected, enforcing authentication.'}, {'type': 'paragraph', 'content': 'This patch restricts access to integration-related API endpoints and UI components exclusively to authenticated users, preventing unauthenticated information disclosure.'}, {'type': 'list_item', 'content': "Apply the patch that changes the integration router's API procedures from publicProcedure to protectedProcedure."}, {'type': 'list_item', 'content': 'Ensure that the frontend components use session-based authentication to hide integration menus from unauthenticated users.'}] [1]