Description
Home Assistant Community Store (HACS) prior to 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, then craft valid JWT tokens to gain administrative access to Home Assistant instances.
Published: 2026-05-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HACS prior to 1.10.0 contains a path traversal flaw that lets an unauthenticated attacker read arbitrary files via the /hacsfiles/ endpoint. The vulnerability is exploited to read the .storage/auth file, which stores user credentials and refresh tokens. With these tokens an attacker can forge valid JWT tokens and obtain administrative access to a Home Assistant instance, effectively hijacking the account. This exploits CWE‑22 path traversal and results in privileged account compromise.

Affected Systems

The vulnerability affects Home Assistant’s Community Store integration, specifically HACS prior to 1.10.0 that have not yet applied the fix. Systems running Home Assistant with HACS enabled and exposing the /hacsfiles/ endpoint are at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates a high potential impact if exploited. However, the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability allows an unauthenticated attacker to read sensitive files via the /hacsfiles/ endpoint, retrieve the .storage/auth file containing credentials, and craft JWT tokens to gain administrative access. While the security impact is severe, the low exploitation probability means that administrators should promptly apply the fix but can also monitor for suspicious activity. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 26, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HACS to the latest patched version, preferably >= 1.10.1
  • If upgrading is not immediately possible, restrict network access to the /hacsfiles/ endpoint so that only trusted users can query it
  • Disable elevation of privilege for the .storage/auth file and consider removing or encrypting the stored JWT tokens so that compromised tokens cannot be abused

Generated by OpenCVE AI on May 26, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Hacs
Hacs home Assistant Community Store
CPEs cpe:2.3:a:hacs:home_assistant_community_store:*:*:*:*:*:*:*:*
Vendors & Products Hacs
Hacs home Assistant Community Store

Tue, 26 May 2026 00:00:00 +0000

Type Values Removed Values Added
Description Home Assistant Community Store (HACS) 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, then craft valid JWT tokens to gain administrative access to Home Assistant instances. Home Assistant Community Store (HACS) prior to 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, then craft valid JWT tokens to gain administrative access to Home Assistant instances.

Mon, 18 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Home-assistant
Home-assistant home Assistant Community Store
Vendors & Products Home-assistant
Home-assistant home Assistant Community Store

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Home Assistant Community Store (HACS) 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, then craft valid JWT tokens to gain administrative access to Home Assistant instances.
Title Home Assistant Community Store 1.10.0 Path Traversal Account Takeover
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hacs Home Assistant Community Store
Home-assistant Home Assistant Community Store
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:41:16.426Z

Reserved: 2026-02-01T11:24:18.718Z

Link: CVE-2021-47942

cve-icon Vulnrichment

Updated: 2026-05-18T19:58:54.430Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-16T16:16:21.390

Modified: 2026-05-27T20:42:44.350

Link: CVE-2021-47942

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T02:30:26Z

Weaknesses