CVE-2026-34205
Unauthenticated Access in Home Assistant Apps via Host Network Mode
Publication date: 2026-03-27
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| home_assistant | operating_system | to 17.1 (inc) |
| home_assistant | supervisor | to 2026.03.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-923 | The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Home Assistant apps configured to use Docker's host network mode while exposing unauthenticated endpoints bound to the internal Docker bridge interface. On Linux systems, this configuration mistakenly allows any device on the same local network to access these endpoints without authentication. The root cause is that firewall rules do not restrict access to the Docker bridge interface from the local network, allowing attackers to bypass authentication and gain full API access.
- Home Assistant apps expose unauthenticated endpoints on the Docker bridge interface.
- On Linux, host network mode shares the host's network namespace, making these endpoints accessible from the local network.
- Attackers on the same network can route packets to these endpoints and gain full access without credentials.
- Affected apps include Advanced SSH & Web Terminal, Music Assistant, and Matter Server.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized full access to Home Assistant APIs and management interfaces without any authentication. An attacker on the same local network can exploit this to control or manipulate your home automation system.
- Compromise of confidentiality, integrity, and availability of the Home Assistant system.
- Potential full shell access via the Advanced SSH & Web Terminal app.
- User impersonation through the Music Assistant app.
- Access to unauthenticated WebSocket APIs like those in the Matter Server app.
Overall, this can lead to complete takeover of the home automation environment by an attacker on the local network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if Home Assistant apps are configured with Docker's host network mode and if unauthenticated endpoints are bound to the internal Docker bridge interface (typically 172.30.32.0/23 for IPv4 and fd0c:ac1e:2100::/48 for IPv6).
On a Linux system, you can inspect Docker container network settings to see if host network mode is enabled and verify if any apps expose unauthenticated endpoints on the Docker bridge interface.
Suggested commands include:
- Use `docker ps` to list running containers and check their network mode.
- Use `docker inspect <container_id>` and look for the "NetworkMode" field to confirm if it is set to "host".
- Use `ss -tuln` or `netstat -tuln` to list listening ports and check if any unauthenticated endpoints are bound to Docker bridge IP addresses.
- Use network scanning tools from another device on the same local network to probe the Docker bridge IP range (e.g., 172.30.32.0/23) for open unauthenticated endpoints.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing firewall rules at the operating system or Supervisor level to restrict access to the Docker bridge interface, ensuring that only local containers can communicate with bridge-bound endpoints.
Specifically, you should:
- Apply iptables or nftables rules to block access to the Docker bridge IP range from devices on the local network.
- Audit all installed Home Assistant apps to identify any that expose unauthenticated endpoints relying on Docker bridge isolation.
- Prevent or reconfigure apps that use Docker host network mode from exposing internal endpoints to the local network.
Additionally, upgrade Home Assistant Supervisor to version 2026.03.2 or later, which includes a fix that applies firewall rules via systemd to protect all installations regardless of OS version.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated access to sensitive Home Assistant API endpoints from any device on the same local network, bypassing all authentication mechanisms.
Such unauthorized access can lead to full compromise of confidentiality, integrity, and availability of the Home Assistant system, potentially exposing personal or sensitive data.
This exposure could result in non-compliance with data protection regulations like GDPR or HIPAA, which require strict access controls and protection of personal data.
Organizations using affected versions of Home Assistant without applying mitigations or updates may risk violating these standards due to inadequate protection of data and systems.