CVE-2026-44698
JavaScript Injection in Home Assistant Companion Apps
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| home_assistant | companion_app | 2026.4.1 |
| home_assistant | companion_app | to 2026.4.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-749 | The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. |
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
| CWE-940 | The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44698 is a high-severity vulnerability in the Home Assistant Companion apps for Android and iOS. It involves a JavaScript bridge exposed in the in-app WebView that is accessible to all frames, including cross-origin iframes. Due to unsanitized interpolation of the JavaScript callback identifier, a malicious cross-origin iframe can execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin.
This allows an attacker to exfiltrate the signed-in user's access token by embedding a malicious iframe (for example, via a Webpage card) that calls the getExternalAuth function with a crafted callback. The attacker can then use this token to gain full REST API access to the Home Assistant instance.
Additionally, the revokeExternalAuth endpoint can be abused to revoke the user's refresh token, causing a denial-of-service by forcing the user to re-onboard.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access and control over your Home Assistant instance. An attacker can steal your access token and gain full REST API access, allowing them to manipulate your home automation setup.
Furthermore, the attacker can perform denial-of-service attacks by revoking your refresh token, forcing you to re-authenticate and potentially disrupting your home automation services.
Overall, this compromises the confidentiality, integrity, and availability of your Home Assistant environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Home Assistant Companion apps exposing a JavaScript bridge to all frames including cross-origin iframes, which can be exploited via malicious iframe embeds.
To detect exploitation attempts on your system or network, you can monitor for unusual API calls or suspicious iframe usage within the Home Assistant frontend, especially calls to functions like getExternalAuth or revokeExternalAuth.
Since the attack involves JavaScript execution and token exfiltration, network monitoring tools could be used to detect unexpected outbound requests carrying access tokens.
Specific commands are not provided in the resources, but general detection steps include:
- Inspect Home Assistant frontend logs for calls to getExternalAuth or revokeExternalAuth.
- Use network monitoring tools (e.g., Wireshark, tcpdump) to capture and analyze traffic for suspicious token exfiltration.
- Audit any Webpage cards or iframe embeds in your Home Assistant configuration for untrusted or third-party content.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Home Assistant Companion apps to the fixed versions: 2026.4.1 for iOS and 2026.4.4 for Android.
Until you can update, temporary mitigations involve removing Webpage cards or avoiding embedding third-party iframes in the Home Assistant frontend to prevent malicious iframe exploitation.
These steps reduce the attack surface by preventing untrusted cross-origin iframes from accessing the vulnerable JavaScript bridge.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin and exfiltrate the signed-in user's access token. Such unauthorized access to user tokens can lead to exposure of personal data and unauthorized control over the Home Assistant instance.
Because the vulnerability impacts confidentiality, integrity, and availability of user data and access, it could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal data against unauthorized access and breaches.
Organizations using affected versions of the Home Assistant Companion apps should apply patches promptly to mitigate risks of data breaches and ensure compliance with relevant standards.