This vulnerability exists because the ha‑mcp OAuth consent form renders user‑controlled query parameters directly into the HTML output using Python f‑strings without any escaping. If an attacker can reach the OAuth endpoint and persuade the server operator to click a crafted authorization URL, arbitrary JavaScript will run in the operator’s browser. The exposed weakness is a classic XSS flaw (CWE‑79) that compromises the confidentiality, integrity, and availability of the operator’s session and can be used for credential theft or persistence. The impact is limited to the browser context of the operator but can lead to significant damage if the operator has administrative access to the Home Assistant instance.

Vendors: homeassistant‑ai; Product: ha‑mcp Server. Only the beta OAuth mode (ha‑mcp‑oauth) is affected, which is not part of the default configuration and requires explicit operator setup. All releases prior to 7.0.0 of ha‑mcp contain the flaw; the vulnerability is fixed in version 7.0.0.

The CVSS v3 base score is 6.8, indicating a medium‑to‑high severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog. Attackers would need network or Web access to the OAuth endpoint and the ability to influence the server operator to visit a crafted URL. The flaw is publicly documented and remains unaddressed until the operator updates the software.