Description
HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the access revocation and prevented the user from viewing or modifying the group's contents, the API did not. Because the original group ID persisted as the user's defaultGroup, and this value was not properly validated when the X-Tenant header was omitted, the user could still perform full CRUD operations on the group's collections through the API, bypassing the intended access controls. This issue has been fixed in version 0.25.0.
Published: 2026-04-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized API access
Action: Patch
AI Analysis

Impact

HomeBox versions prior to 0.25.0 suffered from improper access control. When a user was invited to a group, the group’s ID was permanently stored as the user’s defaultGroup. Even after their access to that group was revoked, the API did not enforce the revocation because the X-Tenant header was optional and the stored defaultGroup ID was not validated. Consequently, a denied user could issue CRUD requests on the group’s collections through the API, bypassing the web interface’s enforcement. This flaw exposes the group’s data to unauthorized actors and can lead to unintended disclosure, alteration, and deletion of assets. The weakness is categorized as CWE-708, improper access control.

Affected Systems

The HomeBox inventory system from sysadminsmedia, in any release before 0.25.0. No specific sub‑version list is provided beyond the fact that the problem exists in all older releases.

Risk and Exploitability

The CVSS score of 8.1 marks the issue as high severity. EPSS is not available, so the current exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, indicating that no public exploits are documented. However, because API access is remote and the flaw stems from missing validation, a malicious actor who has been revoked from a group can exploit the API by omitting the X‑Tenant header or by providing the persisted defaultGroup ID, thereby performing full CRUD operations on the group’s data.

Generated by OpenCVE AI on April 18, 2026 at 08:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HomeBox to version 0.25.0 or later, which removes the persistent defaultGroup assignment.
  • Ensure all API requests include a valid X‑Tenant header that matches the requester’s current group membership, and enforce server‑side validation of this header before processing CRUD operations.
  • Audit API activity logs for unexpected CRUD actions on collections belonging to groups from which a user has been revoked, and immediately revoke or block any unauthorized access found.

Generated by OpenCVE AI on April 18, 2026 at 08:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Sysadminsmedia
Sysadminsmedia homebox
Vendors & Products Sysadminsmedia
Sysadminsmedia homebox

Fri, 17 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the access revocation and prevented the user from viewing or modifying the group's contents, the API did not. Because the original group ID persisted as the user's defaultGroup, and this value was not properly validated when the X-Tenant header was omitted, the user could still perform full CRUD operations on the group's collections through the API, bypassing the intended access controls. This issue has been fixed in version 0.25.0.
Title HomeBox has Unauthorized API Access via Retained defaultGroup ID After Group Access Revocation
Weaknesses CWE-708
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Sysadminsmedia Homebox
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T21:01:18.530Z

Reserved: 2026-04-09T20:59:17.620Z

Link: CVE-2026-40196

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-17T21:16:33.863

Modified: 2026-04-17T21:16:33.863

Link: CVE-2026-40196

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses