Description
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant/components/konnected/__init__.py), that is marked as not requiring authentication (requires_auth = False). A comment next to that line says auth is instead handled "via the access token from configuration." That promise is only half true. Write requests (POST and PUT) are handled by update_sensor(), which does check the request's Authorization: Bearer <token> header against the integration's stored access tokens (using hmac.compare_digest). Read requests (GET) are handled by a separate get() method that has no authentication check at all. This vulnerability is fixed in 2026.6.0.
Published: 2026-06-23
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE details a flaw in Home Assistant’s Konnected integration. Prior to version 2026.6.0, the integration registers an HTTP endpoint, KonnectedView, that is marked as not requiring authentication. Although write requests (POST and PUT) are checked against an access token, read requests (GET) are served by a handler that performs no authentication check. Consequently, any device on the local network can retrieve the alarm‑panel switch state and zone topology, exposing sensitive configuration and operational data. This short‑circuit bypass results in full information disclosure. The vulnerability was fixed in Home Assistant 2026.6.0.

Affected Systems

Systems affected are installations of Home Assistant core that include the Konnected integration before the 2026.6.0 release. Any deployment running the older integration library (homeassistant/components/konnected/__init__.py) without applying this version contains the vulnerable endpoint. The issue applies to all versions of the integration bundled with Home Assistant prior to the fixed release.

Risk and Exploitability

The CVSS score of 7.6 reflects a high‑impact information‑disclosure vulnerability. No public exploit code is known, and the EPSS score is currently unavailable, but the vulnerability is trivially exploited by any device on the same LAN; no authentication or elevated privileges are required. The lack of proper access control enables attackers to enumerate alarm panel settings and potentially orchestrate future attacks. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 24, 2026 at 10:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Home Assistant core to version which removes the unauthenticated GET endpoint.
  • If an upgrade cannot be performed immediately, use network segmentation or firewall rules to block access to the Konnected traffic to the /konnected route from untrusted devices).
  • Verify that the Konnected integration is properly configured to require an access token for all requests and, if possible, request the integration’s authors to enable authentication on GET handlers in future releases.

Generated by OpenCVE AI on June 24, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x84v-g949-293w Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN
History

Tue, 23 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Home-assistant
Home-assistant core
Vendors & Products Home-assistant
Home-assistant core

Tue, 23 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant/components/konnected/__init__.py), that is marked as not requiring authentication (requires_auth = False). A comment next to that line says auth is instead handled "via the access token from configuration." That promise is only half true. Write requests (POST and PUT) are handled by update_sensor(), which does check the request's Authorization: Bearer <token> header against the integration's stored access tokens (using hmac.compare_digest). Read requests (GET) are handled by a separate get() method that has no authentication check at all. This vulnerability is fixed in 2026.6.0.
Title Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN
Weaknesses CWE-200
CWE-306
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Home-assistant Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T17:39:17.825Z

Reserved: 2026-06-12T18:42:02.223Z

Link: CVE-2026-54317

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:30:14Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-306

    Missing Authentication for Critical Function