CVE-2026-40196
Received Received - Intake
Access Control Bypass in HomeBox API via DefaultGroup ID

Publication date: 2026-04-17

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the access revocation and prevented the user from viewing or modifying the group's contents, the API did not. Because the original group ID persisted as the user's defaultGroup, and this value was not properly validated when the X-Tenant header was omitted, the user could still perform full CRUD operations on the group's collections through the API, bypassing the intended access controls. This issue has been fixed in version 0.25.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40196
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sysadminsmedia homebox to 0.25.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-708 The product assigns an owner to a resource, but the owner is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in HomeBox versions prior to 0.25.0 where a user's defaultGroup ID remained assigned even after their access to that group was revoked.

While the web interface correctly prevented the user from accessing the group after revocation, the API did not enforce this restriction.

Because the defaultGroup ID was not properly validated when the X-Tenant header was missing, the user could still perform full create, read, update, and delete (CRUD) operations on the group's collections through the API, bypassing intended access controls.

This issue was fixed in version 0.25.0.

Impact Analysis

This vulnerability allows a user whose access to a group has been revoked to still manipulate that group's data through the API.

Specifically, the user can perform full CRUD operations on the group's collections, potentially leading to unauthorized data modification or exposure.

Such unauthorized access can compromise the integrity and confidentiality of the group's data.

Mitigation Strategies

To mitigate this vulnerability, upgrade HomeBox to version 0.25.0 or later, where the issue has been fixed.

Compliance Impact

This vulnerability allows a user to bypass intended access controls via the API, enabling unauthorized full CRUD operations on group collections even after access revocation.

Such unauthorized access and potential data manipulation could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Therefore, the vulnerability may negatively impact compliance by exposing data to unauthorized users and failing to enforce proper access restrictions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40196. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart