Description
Home Assistant Community Store (HACS) 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, then craft valid JWT tokens to gain administrative access to Home Assistant instances.
Published: 2026-05-16
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HACS version 1.10.0 contains a path traversal flaw that lets an unauthenticated attacker read arbitrary files via the /hacsfiles/ endpoint. The vulnerability is exploited to read the .storage/auth file, which stores user credentials and refresh tokens. With these tokens an attacker can forge valid JWT tokens and obtain administrative access to a Home Assistant instance, effectively hijacking the account. This exploits CWE‑22 path traversal and results in privileged account compromise.

Affected Systems

The vulnerability affects Home Assistant’s Community Store integration, specifically HACS 1.10.0 and earlier releases that have not yet applied the fix. Systems running Home Assistant with HACS enabled and exposing the /hacsfiles/ endpoint are at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. Because the flaw does not require authentication and can be triggered by a simple HTTP request, the risk of exploitation is significant. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but given the low complexity attack vector and the critical nature of the compromised resource, administrators should treat it as immediately exploitable.

Generated by OpenCVE AI on May 16, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HACS to the latest patched version, preferably >= 1.10.1
  • If upgrading is not immediately possible, restrict network access to the /hacsfiles/ endpoint so that only trusted users can query it
  • Disable elevation of privilege for the .storage/auth file and consider removing or encrypting the stored JWT tokens so that compromised tokens cannot be abused

Generated by OpenCVE AI on May 16, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Home Assistant Community Store (HACS) 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, then craft valid JWT tokens to gain administrative access to Home Assistant instances.
Title Home Assistant Community Store 1.10.0 Path Traversal Account Takeover
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:28:07.743Z

Reserved: 2026-02-01T11:24:18.718Z

Link: CVE-2021-47942

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:21.390

Modified: 2026-05-16T16:16:21.390

Link: CVE-2021-47942

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T16:30:27Z

Weaknesses