CVE-2026-3558 - Vulnerability Details

- Philips Hue Bridge HomeKit Accessory Protocol Transient Pairing Mode Authentication Bypass Vulnerability

Description

Philips Hue Bridge HomeKit Accessory Protocol Transient Pairing Mode Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the configuration of the HomeKit Accessory Protocol service, which listens on TCP port 8080 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-28374.

Published: 2026-03-13

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an authentication bypass in Philips Hue Bridge’s HomeKit Accessory Protocol service. The service listens on the default TCP port 8080 and does not require authentication to access its functionality. As described in the CVE advisory, an attacker can locate the bridge on the local network, send requests to this port, and control or manipulate the bridge without any credentials. The weakness is identified as CWE-306, reflecting a failure to enforce proper authentication.

Affected Systems

The affected product is Philips Hue Bridge. No specific firmware or model versions are listed in the available data, so the issue is presumed to affect all current models and firmware releases. The lack of version boundaries is explicitly noted.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, but the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not cataloged in the CISA KEV list. Based on the description, the likely attack vector is local network adjacency via TCP port 8080; authentication is not required, so an attacker merely needs network access to the bridge to issue malicious requests.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Philips

Hue Bridge

unknown

Version	Status	Constraints
`1.73.1973146020`	affected	—

No data.

Vendor Product Confidence Versions

Phillips

Hue Bridge

97%

Version	Status	Scheme	Platform
`1.73.1973146020`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Restrict or block TCP port 8080 on the Philips Hue Bridge using firewall or router rules.
Check Philips’ support site for firmware updates that address the HomeKit Accessory Protocol authentication issue and apply any available patches.
Place the Hue Bridge in a separate VLAN or subnet and limit network traffic to trusted devices only.
If able to disable the HomeKit Accessory Protocol service, do so as a temporary measure until a patch is applied.

Generated by OpenCVE AI on March 16, 2026 at 23:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.zerodayinitiative.com/advisories/ZDI-26-156/

History

Mon, 16 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Phillips Phillips hue Bridge
Vendors & Products		Phillips Phillips hue Bridge

Fri, 13 Mar 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Philips Hue Bridge HomeKit Accessory Protocol Transient Pairing Mode Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the HomeKit Accessory Protocol service, which listens on TCP port 8080 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-28374.
Title		Philips Hue Bridge HomeKit Accessory Protocol Transient Pairing Mode Authentication Bypass Vulnerability
Weaknesses		CWE-306
References		https://www.zerodayinitiative.com/advisories/ZDI-26-156/
Metrics		cvssV3_0 `{'score': 8.1, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Phillips Hue Bridge

MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2026-03-13T20:36:52.519Z

Updated: 2026-03-16T20:18:40.959Z

Reserved: 2026-03-04T19:42:42.383Z

Link: CVE-2026-3558

Vulnrichment

Updated: 2026-03-16T20:18:37.240Z

NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:19:48.997

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-3558

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-23T13:39:52Z

Weaknesses

CWE-306

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object