CVE-2026-27796
Received Received - Intake
Information Disclosure via Publicly Exposed tRPC Endpoint in Homarr Dashboard

Publication date: 2026-03-07

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as internal service URLs, integration names, and service types. This issue has been patched in version 1.54.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27796
EUVD
EUVD-2026-10114
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
homarr homarr to 1.54.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

CVE-2026-27796 is an information disclosure vulnerability in the open-source dashboard Homarr, affecting versions prior to 1.54.0.

The vulnerability arises because the integration.all tRPC endpoint was exposed as a publicProcedure, meaning it did not require authentication.

This allowed unauthenticated users to retrieve a complete list of configured integrations, including sensitive metadata such as internal service URLs, integration names, and service types.

This exposure leaks internal network topology and service discovery information, which could be used for further targeted attacks.

Impact Analysis

This vulnerability can impact you by exposing sensitive internal information about your Homarr integrations to unauthenticated users.

  • Leakage of internal service URLs, including IP addresses and hostnames.
  • Disclosure of integration names and service types.
  • Exposure of internal network topology and service discovery details.

Such information disclosure increases the risk of targeted attacks against your internal services by malicious actors.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the vulnerable integration.all tRPC endpoint without authentication and observing if it returns sensitive integration data.'}, {'type': 'paragraph', 'content': 'A suggested command to test this is a curl GET request to the endpoint, which if successful, returns a JSON array of configured integrations including sensitive internal URLs and service information.'}, {'type': 'list_item', 'content': 'curl -G \'http://127.0.0.1:7575/api/trpc/integration.all\' --data-urlencode \'batch=1\' --data-urlencode \'input={"0":{"json":null,"meta":{"values":["undefined"]}}}\''}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, upgrade Homarr to version 1.54.0 or later, where the integration.all endpoint and related API procedures have been changed from public to protected, enforcing authentication.'}, {'type': 'paragraph', 'content': 'This patch restricts access to integration-related API endpoints and UI components exclusively to authenticated users, preventing unauthenticated information disclosure.'}, {'type': 'list_item', 'content': "Apply the patch that changes the integration router's API procedures from publicProcedure to protectedProcedure."}, {'type': 'list_item', 'content': 'Ensure that the frontend components use session-based authentication to hide integration menus from unauthenticated users.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27796. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart