CVE-2026-34205
Received Received - Intake
Unauthenticated Access in Home Assistant Apps via Host Network Mode

Publication date: 2026-03-27

Last updated on: 2026-03-27

Assigner: GitHub, Inc.

Description
Home Assistant is open source home automation software that puts local control and privacy first. Home Assistant apps (formerly add-ons) configured with host network mode expose unauthenticated endpoints bound to the internal Docker bridge interface to the local network. On Linux, this configuration does not restrict access to the app as intended, allowing any device on the same network to reach these endpoints without authentication. Home Assistant Supervisor 2026.03.02 addresses the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-27
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34205
EUVD
EUVD-2026-16793
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
home_assistant operating_system to 17.1 (inc)
home_assistant supervisor to 2026.03.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-923 The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Home Assistant apps configured to use Docker's host network mode while exposing unauthenticated endpoints bound to the internal Docker bridge interface. On Linux systems, this configuration mistakenly allows any device on the same local network to access these endpoints without authentication. The root cause is that firewall rules do not restrict access to the Docker bridge interface from the local network, allowing attackers to bypass authentication and gain full API access.

  • Home Assistant apps expose unauthenticated endpoints on the Docker bridge interface.
  • On Linux, host network mode shares the host's network namespace, making these endpoints accessible from the local network.
  • Attackers on the same network can route packets to these endpoints and gain full access without credentials.
  • Affected apps include Advanced SSH & Web Terminal, Music Assistant, and Matter Server.
Impact Analysis

This vulnerability can have severe impacts including unauthorized full access to Home Assistant APIs and management interfaces without any authentication. An attacker on the same local network can exploit this to control or manipulate your home automation system.

  • Compromise of confidentiality, integrity, and availability of the Home Assistant system.
  • Potential full shell access via the Advanced SSH & Web Terminal app.
  • User impersonation through the Music Assistant app.
  • Access to unauthenticated WebSocket APIs like those in the Matter Server app.

Overall, this can lead to complete takeover of the home automation environment by an attacker on the local network.

Detection Guidance

This vulnerability can be detected by checking if Home Assistant apps are configured with Docker's host network mode and if unauthenticated endpoints are bound to the internal Docker bridge interface (typically 172.30.32.0/23 for IPv4 and fd0c:ac1e:2100::/48 for IPv6).

On a Linux system, you can inspect Docker container network settings to see if host network mode is enabled and verify if any apps expose unauthenticated endpoints on the Docker bridge interface.

Suggested commands include:

  • Use `docker ps` to list running containers and check their network mode.
  • Use `docker inspect <container_id>` and look for the "NetworkMode" field to confirm if it is set to "host".
  • Use `ss -tuln` or `netstat -tuln` to list listening ports and check if any unauthenticated endpoints are bound to Docker bridge IP addresses.
  • Use network scanning tools from another device on the same local network to probe the Docker bridge IP range (e.g., 172.30.32.0/23) for open unauthenticated endpoints.
Mitigation Strategies

Immediate mitigation steps include implementing firewall rules at the operating system or Supervisor level to restrict access to the Docker bridge interface, ensuring that only local containers can communicate with bridge-bound endpoints.

Specifically, you should:

  • Apply iptables or nftables rules to block access to the Docker bridge IP range from devices on the local network.
  • Audit all installed Home Assistant apps to identify any that expose unauthenticated endpoints relying on Docker bridge isolation.
  • Prevent or reconfigure apps that use Docker host network mode from exposing internal endpoints to the local network.

Additionally, upgrade Home Assistant Supervisor to version 2026.03.2 or later, which includes a fix that applies firewall rules via systemd to protect all installations regardless of OS version.

Compliance Impact

This vulnerability allows unauthenticated access to sensitive Home Assistant API endpoints from any device on the same local network, bypassing all authentication mechanisms.

Such unauthorized access can lead to full compromise of confidentiality, integrity, and availability of the Home Assistant system, potentially exposing personal or sensitive data.

This exposure could result in non-compliance with data protection regulations like GDPR or HIPAA, which require strict access controls and protection of personal data.

Organizations using affected versions of Home Assistant without applying mitigations or updates may risk violating these standards due to inadequate protection of data and systems.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34205. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart