Description
HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr (TCP connection address). These headers were read unconditionally. An attacker connecting directly to Homebox could forge any value in X-Real-IP, effectively getting a fresh rate limit identity per request. There is a TrustProxy option in the configuration (Options.TrustProxy, default false), but this option was never read by any middleware or rate limiter code. Additionally, chi's middleware.RealIP was applied unconditionally in main.go, overwriting r.RemoteAddr with the forged header value before it reaches any handler. This vulnerability is fixed in 0.24.0.
Published: 2026-03-03
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication rate limiting bypass enabling brute force attempts
Action: Patch immediately
AI Analysis

Impact

HomeBox implements an authentication rate limiter that counts failed attempts by client IP. The service automatically reads the X‑Real‑IP header, the first entry of X‑Forwarded‑For, and the TCP remote address, and it applies an unconditional real‑IP middleware that overwrites the remote address with the value of X‑Real‑IP. An attacker can send forged X‑Real‑IP values, causing each request to appear from a new IP and therefore get a fresh rate‑limit counter. This flaw allows an attacker to repeatedly attempt credential logins without triggering the limiter, potentially leading to unauthorized access. The weakness originates from improper restriction of operations within the limit (CWE‑307).

Affected Systems

All editions of HomeBox released before version 0.24.0, distributed by sysadminsmedia, are affected. The vulnerability exists regardless of the configured TrustProxy option because it is never consulted by the rate‑limiting logic or the middleware. Users of HomeBox installations older than 0.24.0 should treat the product as vulnerable until an update is applied.

Risk and Exploitability

The CVSS score of 7.4 classifies this flaw as high severity, and the EPSS score of less than 1 % indicates a low but non‑zero probability of exploitation. The vulnerability requires remote network access, and the exploit path is straightforward: connect directly to the HomeBox service or traffic it through a proxy that injects forged X‑Real‑IP headers. Such an attack does not require privileged input or application misconfiguration beyond the ability to send HTTP requests. Because the flaw is not listed in CISA’s KEV catalog, there are currently no publicly known advanced exploits, but the high severity combined with the simplicity of the attack vector makes it a priority to mitigate immediately.

Generated by OpenCVE AI on April 18, 2026 at 10:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HomeBox to version 0.24.0 or newer, which removes the unvalidated header processing from the rate‑limiting logic.
  • If an immediate upgrade is not possible, restrict inbound traffic to HomeBox to trusted networks or apply an additional reverse‑proxy that strictly validates or removes X‑Real‑IP and X‑Forwarded‑For headers before forwarding requests to HomeBox.
  • Deploy an application firewall that enforces a global rate limit on authentication attempts regardless of IP header values.

Generated by OpenCVE AI on April 18, 2026 at 10:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sysadminsmedia:homebox:*:*:*:*:*:*:*:*

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Sysadminsmedia
Sysadminsmedia homebox
Vendors & Products Sysadminsmedia
Sysadminsmedia homebox

Tue, 03 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr (TCP connection address). These headers were read unconditionally. An attacker connecting directly to Homebox could forge any value in X-Real-IP, effectively getting a fresh rate limit identity per request. There is a TrustProxy option in the configuration (Options.TrustProxy, default false), but this option was never read by any middleware or rate limiter code. Additionally, chi's middleware.RealIP was applied unconditionally in main.go, overwriting r.RemoteAddr with the forged header value before it reaches any handler. This vulnerability is fixed in 0.24.0.
Title HomeBox has an Auth Rate Limit Bypass via IP Spoofing
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Sysadminsmedia Homebox
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-04T16:28:12.402Z

Reserved: 2026-02-25T03:24:57.794Z

Link: CVE-2026-27981

cve-icon Vulnrichment

Updated: 2026-03-04T16:28:06.030Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T23:15:56.387

Modified: 2026-03-05T17:56:43.943

Link: CVE-2026-27981

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses