CVE-2026-54318
Awaiting Analysis Awaiting Analysis - Queue
Location Spoofing in Home Assistant Android App

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.5.3, the LocationSensorManager BroadcastReceiver is exported with no permission. Any installed app, with zero runtime permissions, can broadcast a forged Google Play Services LocationResult directly to it; the receiver trusts the extra and forwards it to the user's Home Assistant server as the device's real location. This bypasses Android's developer-mode "Mock Location" gate and allows a local malicious app to drive zone-based automations (unlock door / disarm alarm / open garage) by faking the user's GPS position. This vulnerability is fixed in 2026.5.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54318
EUVD
EUVD-2026-38553
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
home_assistant home_assistant to 2026.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-926 The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in Home Assistant's LocationSensorManager BroadcastReceiver, which was exported without any permission restrictions prior to version 2026.5.3.

This means that any installed app on the device, even one without any runtime permissions, can send a forged Google Play Services LocationResult broadcast directly to the receiver.

The receiver trusts this broadcasted location data and forwards it to the user's Home Assistant server as if it were the device's real location.

This bypasses Android's developer-mode 'Mock Location' protections and allows a local malicious app to fake the user's GPS position.

As a result, the attacker can manipulate zone-based automations such as unlocking doors, disarming alarms, or opening garages by spoofing the device location.

The issue was fixed in Home Assistant version 2026.5.3 by restricting the export of the LocationSensorManager.

Impact Analysis

This vulnerability can allow a local malicious app on your device to spoof your GPS location without needing any permissions.

By faking your location, the attacker can trigger zone-based automations in Home Assistant that rely on your real location.

  • Unlocking doors
  • Disarming alarms
  • Opening garage doors

This can lead to unauthorized physical access to your home or property and compromise your security.

Detection Guidance

This vulnerability involves the LocationSensorManager BroadcastReceiver being exported without permission, allowing local apps to send forged location broadcasts. Detection would involve checking if the vulnerable version of Home Assistant (prior to 2026.5.3) is installed and if the LocationSensorManager BroadcastReceiver is exported without restrictions.

To detect exploitation attempts, you can monitor for suspicious broadcasts of the ACTION_LOCATION_RESULT or similar intents being sent to the LocationSensorManager. On an Android device, you might use commands such as:

  • adb shell dumpsys package home_assistant | grep LocationSensorManager
  • adb shell pm list receivers -a | grep LocationSensorManager
  • adb logcat | grep LocationSensorManager

These commands help verify if the receiver is exported and monitor logs for suspicious location broadcasts. However, no specific detection commands are provided in the available resources.

Mitigation Strategies

The primary mitigation is to update Home Assistant to version 2026.5.3 or later, where the vulnerability is fixed by restricting the export of the LocationSensorManager BroadcastReceiver.

If updating immediately is not possible, consider limiting the installation of untrusted local apps on the device, as the vulnerability requires a local app to send forged broadcasts.

Additionally, monitoring and restricting broadcast intents related to location updates can help reduce risk until the update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54318. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart