Executive Summary

CVE-2026-44698 is a high-severity vulnerability in the Home Assistant Companion apps for Android and iOS. It involves a JavaScript bridge exposed in the in-app WebView that is accessible to all frames, including cross-origin iframes. Due to unsanitized interpolation of the JavaScript callback identifier, a malicious cross-origin iframe can execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin.

This allows an attacker to exfiltrate the signed-in user's access token by embedding a malicious iframe (for example, via a Webpage card) that calls the getExternalAuth function with a crafted callback. The attacker can then use this token to gain full REST API access to the Home Assistant instance.

Additionally, the revokeExternalAuth endpoint can be abused to revoke the user's refresh token, causing a denial-of-service by forcing the user to re-onboard.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized access and control over your Home Assistant instance. An attacker can steal your access token and gain full REST API access, allowing them to manipulate your home automation setup.

Furthermore, the attacker can perform denial-of-service attacks by revoking your refresh token, forcing you to re-authenticate and potentially disrupting your home automation services.

Overall, this compromises the confidentiality, integrity, and availability of your Home Assistant environment.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the Home Assistant Companion apps exposing a JavaScript bridge to all frames including cross-origin iframes, which can be exploited via malicious iframe embeds.

To detect exploitation attempts on your system or network, you can monitor for unusual API calls or suspicious iframe usage within the Home Assistant frontend, especially calls to functions like getExternalAuth or revokeExternalAuth.

Since the attack involves JavaScript execution and token exfiltration, network monitoring tools could be used to detect unexpected outbound requests carrying access tokens.

Specific commands are not provided in the resources, but general detection steps include:

• Inspect Home Assistant frontend logs for calls to getExternalAuth or revokeExternalAuth.
• Use network monitoring tools (e.g., Wireshark, tcpdump) to capture and analyze traffic for suspicious token exfiltration.
• Audit any Webpage cards or iframe embeds in your Home Assistant configuration for untrusted or third-party content.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating the Home Assistant Companion apps to the fixed versions: 2026.4.1 for iOS and 2026.4.4 for Android.

Until you can update, temporary mitigations involve removing Webpage cards or avoiding embedding third-party iframes in the Home Assistant frontend to prevent malicious iframe exploitation.

These steps reduce the attack surface by preventing untrusted cross-origin iframes from accessing the vulnerable JavaScript bridge.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin and exfiltrate the signed-in user's access token. Such unauthorized access to user tokens can lead to exposure of personal data and unauthorized control over the Home Assistant instance.

Because the vulnerability impacts confidentiality, integrity, and availability of user data and access, it could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal data against unauthorized access and breaches.

Organizations using affected versions of the Home Assistant Companion apps should apply patches promptly to mitigate risks of data breaches and ensure compliance with relevant standards.

Useful 0 Not Useful 0