CVE-2026-54317
Awaiting Analysis Awaiting Analysis - Queue
Authentication Bypass in Home Assistant Konnected Integration

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant/components/konnected/__init__.py), that is marked as not requiring authentication (requires_auth = False). A comment next to that line says auth is instead handled "via the access token from configuration." That promise is only half true. Write requests (POST and PUT) are handled by update_sensor(), which does check the request's Authorization: Bearer <token> header against the integration's stored access tokens (using hmac.compare_digest). Read requests (GET) are handled by a separate get() method that has no authentication check at all. This vulnerability is fixed in 2026.6.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54317
EUVD
EUVD-2026-38552
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
home_assistant home_assistant to 2026.6.0 (exc)
home_assistant home_assistant 2026.6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Konnected integration of Home Assistant versions before 2026.6.0. This integration registers an HTTP endpoint called KonnectedView that is supposed to require authentication via access tokens. However, while write requests (POST and PUT) properly check for authentication tokens, read requests (GET) do not require any authentication at all.

This means that anyone on the local network can send unauthenticated GET requests to this endpoint and access sensitive alarm panel information, such as device states and zone topology, without needing a valid access token.

Compliance Impact

The vulnerability in the Konnected integration of Home Assistant allows unauthenticated local network actors to access sensitive alarm panel information without proper authentication. This exposure of sensitive security system data could lead to unauthorized disclosure of personal or security-related information.

Such unauthorized access and potential data exposure may negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and proper access controls to prevent unauthorized disclosure.

Specifically, the flaw allows attackers to enumerate device IDs, read switch output states, and determine alarm panel topology, which could be considered a breach of confidentiality and security controls mandated by these regulations.

Impact Analysis

This vulnerability allows unauthenticated attackers on the local network to access sensitive information about your alarm panel, including the state of switches (like sirens and relays) and the configuration of security zones.

Attackers can enumerate device IDs and map the alarm system's topology, which can help them plan physical intrusions or bypass security measures.

Additionally, the endpoint triggers unnecessary outbound connections to the Konnected hardware, which could cause interference or other unintended effects.

Detection Guidance

This vulnerability can be detected by scanning your local network for unauthenticated access to the Konnected integration's HTTP endpoint in Home Assistant. Specifically, you can attempt to send unauthenticated GET requests to the endpoint `/api/konnected/device/{device_id}?zone=N` to see if alarm panel information is accessible without authentication.

Since the device ID space is relatively small (around 2^24), you can script or use tools like curl or wget to enumerate device IDs and check for responses.

  • Example command to test access to a specific device ID and zone: `curl -X GET http://<home_assistant_ip>/api/konnected/device/123456?zone=1`
  • You can automate scanning multiple device IDs with a script that iterates over possible device IDs and zones, checking for HTTP 200 responses without authentication.
Mitigation Strategies

The immediate mitigation step is to upgrade Home Assistant to version 2026.6.0 or later, where this vulnerability is fixed by enforcing proper authentication on all requests to the Konnected integration endpoint.

Until the upgrade can be applied, restrict access to the Home Assistant instance on your local network to trusted devices only, for example by using firewall rules or network segmentation to prevent unauthorized clients from reaching the vulnerable endpoint.

Additionally, monitor network traffic for suspicious unauthenticated GET requests to the `/api/konnected/device/` endpoint and consider disabling the Konnected integration if it is not essential.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54317. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart