CVE-2026-27981
Received Received - Intake
Authentication Bypass via Forged IP Headers in HomeBox

Publication date: 2026-03-03

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr (TCP connection address). These headers were read unconditionally. An attacker connecting directly to Homebox could forge any value in X-Real-IP, effectively getting a fresh rate limit identity per request. There is a TrustProxy option in the configuration (Options.TrustProxy, default false), but this option was never read by any middleware or rate limiter code. Additionally, chi's middleware.RealIP was applied unconditionally in main.go, overwriting r.RemoteAddr with the forged header value before it reaches any handler. This vulnerability is fixed in 0.24.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-05
Generated
2026-05-07
AI Q&A
2026-03-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27981
EUVD
EUVD-2026-9346
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sysadminsmedia homebox to 0.24.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in HomeBox versions prior to 0.24.0 in the authentication rate limiter mechanism. The rate limiter tracks failed login attempts based on the client IP address, which it determines by reading headers such as X-Real-IP and X-Forwarded-For, or the TCP connection address. However, these headers are read unconditionally without verifying their trustworthiness. An attacker connecting directly to HomeBox can forge the X-Real-IP header, effectively bypassing the rate limiter by appearing as a new client IP on each request. Additionally, the TrustProxy configuration option intended to control this behavior was never actually used by the middleware or rate limiter. The middleware also overwrites the remote address with the forged header value before handling the request, enabling the attacker to evade rate limiting.


How can this vulnerability impact me? :

This vulnerability allows an attacker to bypass the authentication rate limiting by forging client IP addresses. As a result, an attacker can perform a large number of failed login attempts without being blocked or slowed down by the rate limiter. This can lead to brute force attacks on user accounts, increasing the risk of unauthorized access. The vulnerability impacts the confidentiality and integrity of the system by enabling attackers to potentially compromise user credentials.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade HomeBox to version 0.24.0 or later, where the issue with the authentication rate limiter and the TrustProxy option has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart