CVE-2026-3559
Awaiting Analysis Awaiting Analysis - Queue
Authentication Bypass in Philips Hue Bridge HomeKit Protocol

Publication date: 2026-03-16

Last updated on: 2026-04-27

Assigner: Zero Day Initiative

Description
Philips Hue Bridge HomeKit Accessory Protocol Static Nonce Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the SRP authentication mechanism in the HomeKit Accessory Protocol service, which listens on TCP port 8080 by default. The issue results from the use of a static nonce value. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-28451.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-27
Generated
2026-06-17
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3559
EUVD
EUVD-2026-12160
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
philips hue_bridge_v2_firmware to 1975170000 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-323 Nonces should be used for the present occasion and only once.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Philips Hue Bridge's HomeKit Accessory Protocol. It involves a flaw in the SRP authentication mechanism where a static nonce value is used. Because of this, network-adjacent attackers can bypass authentication without needing any credentials or prior access.

Impact Analysis

An attacker exploiting this vulnerability can bypass authentication on the Philips Hue Bridge, potentially gaining unauthorized access to the device and its functions. This could lead to unauthorized control or manipulation of connected smart home devices.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3559. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart