Description
Home Assistant is open source home automation software that puts local control and privacy first. Home Assistant apps (formerly add-ons) configured with host network mode expose unauthenticated endpoints bound to the internal Docker bridge interface to the local network. On Linux, this configuration does not restrict access to the app as intended, allowing any device on the same network to reach these endpoints without authentication. Home Assistant Supervisor 2026.03.02 addresses the issue.
Published: 2026-03-27
Score: 9.7 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated access to Home Assistant add-on endpoints from the local network
Action: Immediate Patch
AI Analysis

Impact

Home Assistant add-ons configured for host network mode expose unsecured endpoints bound to the Docker bridge interface, allowing any device on the same local network to reach them without authentication. The flaw stems from improper isolation of the Docker bridge, categorised as CWE-923, and can lead to unauthorized disclosure or manipulation of data managed by those add-ons.

Affected Systems

Systems running Home Assistant Operating System with Home Assistant Supervisor prior to the 2026.03.02 update are affected. The vulnerability targets add-ons that use host network mode; any such add-on installed on these systems is vulnerable.

Risk and Exploitability

The CVSS score of 9.7 marks the issue as critical. Exploitation requires no special skills—a device on the same local network can simply connect to the exposed endpoint. Though EPSS data is unavailable, the high score and lack of mitigating controls suggest a high likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on March 27, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Home Assistant Supervisor to version 2026.03.02 or later to eliminate host network mode exposure.

Generated by OpenCVE AI on March 27, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Home-assistant
Home-assistant home-assistant
Home-assistant supervisor
Vendors & Products Home-assistant
Home-assistant home-assistant
Home-assistant supervisor

Fri, 27 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Home Assistant is open source home automation software that puts local control and privacy first. Home Assistant apps (formerly add-ons) configured with host network mode expose unauthenticated endpoints bound to the internal Docker bridge interface to the local network. On Linux, this configuration does not restrict access to the app as intended, allowing any device on the same network to reach these endpoints without authentication. Home Assistant Supervisor 2026.03.02 addresses the issue.
Title Home Assistant: Unauthenticated App (Add-on) Endpoints Exposed to Local Network via Host Network Mode
Weaknesses CWE-923
References
Metrics cvssV3_1

{'score': 9.7, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Home-assistant Home-assistant Supervisor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:41:10.707Z

Reserved: 2026-03-26T15:57:52.323Z

Link: CVE-2026-34205

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T20:16:35.360

Modified: 2026-03-30T13:26:29.793

Link: CVE-2026-34205

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:59:30Z

Weaknesses