CVE-2026-27981
Received Received - Intake
Authentication Bypass via Forged IP Headers in HomeBox

Publication date: 2026-03-03

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr (TCP connection address). These headers were read unconditionally. An attacker connecting directly to Homebox could forge any value in X-Real-IP, effectively getting a fresh rate limit identity per request. There is a TrustProxy option in the configuration (Options.TrustProxy, default false), but this option was never read by any middleware or rate limiter code. Additionally, chi's middleware.RealIP was applied unconditionally in main.go, overwriting r.RemoteAddr with the forged header value before it reaches any handler. This vulnerability is fixed in 0.24.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27981
EUVD
EUVD-2026-9346
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sysadminsmedia homebox to 0.24.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in HomeBox versions prior to 0.24.0 in the authentication rate limiter mechanism. The rate limiter tracks failed login attempts based on the client IP address, which it determines by reading headers such as X-Real-IP and X-Forwarded-For, or the TCP connection address. However, these headers are read unconditionally without verifying their trustworthiness. An attacker connecting directly to HomeBox can forge the X-Real-IP header, effectively bypassing the rate limiter by appearing as a new client IP on each request. Additionally, the TrustProxy configuration option intended to control this behavior was never actually used by the middleware or rate limiter. The middleware also overwrites the remote address with the forged header value before handling the request, enabling the attacker to evade rate limiting.

Impact Analysis

This vulnerability allows an attacker to bypass the authentication rate limiting by forging client IP addresses. As a result, an attacker can perform a large number of failed login attempts without being blocked or slowed down by the rate limiter. This can lead to brute force attacks on user accounts, increasing the risk of unauthorized access. The vulnerability impacts the confidentiality and integrity of the system by enabling attackers to potentially compromise user credentials.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade HomeBox to version 0.24.0 or later, where the issue with the authentication rate limiter and the TrustProxy option has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27981. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart