Description
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and webkit.messageHandlers.getExternalAuth (alongside revokeExternalAuth and externalBus) on iOS. Two flaws expose the bridge to all frames (including cross-origin iframes) and unsanitized interpolation of the JavaScript callback identifier allows a cross-origin iframe rendered inside the Companion app to execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin and exfiltrate the signed-in user's access token. This vulnerability is fixed in 2026.4.1 for iOS and 2026.4.4 for Android.
Published: 2026-05-29
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the Home Assistant Companion apps expose a JavaScript bridge to the in‑app WebView. The bridge is accessible to all frames, including cross‑origin iframes, and injects the callback identifier without sanitization. An attacker can host a malicious iframe inside the app, causing the injected JavaScript to execute in the main‑frame origin and steal the signed‑in user’s access token. This enables an attacker to impersonate the user without needing credentials and to gain full control over the user’s Home Assistant instance.

Affected Systems

Affected vendors are Home Assistant Companion app for Android versions earlier than 2026.4.4 and for iOS earlier than 2026.4.1, as well as the home‑assistant core (though the core itself is not directly implicated). Updating to the fixed releases eliminates the flaw.

Risk and Exploitability

The CVSS score of 8.3 indicates a high severity weakness. While no EPSS score is publicly available and the vulnerability is not listed in CISA KEV, the likelihood of exploitation depends on an attacker’s ability to serve malicious content within a cross‑origin iframe inside the Companion app. Given the nature of the flaw—unsanitized execution of JavaScript—the attack can be carried out from within the app without additional user interaction, making it a potentially feasible local or remote attack vector.

Generated by OpenCVE AI on May 29, 2026 at 15:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Home Assistant Companion app update: 2026.4.1 for iOS and 2026.4.4 for Android.
  • Ensure the in‑app WebView bridge is disabled or removed if the feature is not needed.
  • Configure the app or network to block loading of external iframes from unknown origins within the Companion app.

Generated by OpenCVE AI on May 29, 2026 at 15:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Home-assistant
Home-assistant companion App
Home-assistant core
Vendors & Products Home-assistant
Home-assistant companion App
Home-assistant core

Fri, 29 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and webkit.messageHandlers.getExternalAuth (alongside revokeExternalAuth and externalBus) on iOS. Two flaws expose the bridge to all frames (including cross-origin iframes) and unsanitized interpolation of the JavaScript callback identifier allows a cross-origin iframe rendered inside the Companion app to execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin and exfiltrate the signed-in user's access token. This vulnerability is fixed in 2026.4.1 for iOS and 2026.4.4 for Android.
Title Home Assistant: Cross-origin iframe access token exfiltration via WebView JS bridge callback injection
Weaknesses CWE-346
CWE-749
CWE-94
CWE-940
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Home-assistant Companion App Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T13:58:53.347Z

Reserved: 2026-05-07T17:07:09.316Z

Link: CVE-2026-44698

cve-icon Vulnrichment

Updated: 2026-05-29T13:58:49.847Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T14:16:28.823

Modified: 2026-05-29T16:25:57.843

Link: CVE-2026-44698

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:46:28Z

Weaknesses