CVE-2026-54318 - Vulnerability Details

Description

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.5.3, the LocationSensorManager BroadcastReceiver is exported with no permission. Any installed app, with zero runtime permissions, can broadcast a forged Google Play Services LocationResult directly to it; the receiver trusts the extra and forwards it to the user's Home Assistant server as the device's real location. This bypasses Android's developer-mode "Mock Location" gate and allows a local malicious app to drive zone-based automations (unlock door / disarm alarm / open garage) by faking the user's GPS position. This vulnerability is fixed in 2026.5.3.

Published: 2026-06-23

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An Android BroadcastReceiver named LocationSensorManager in Home Assistant was exported without a required permission. Any app on the device can send a crafted Intent containing a Google Play Services LocationResult, and the receiver unconditionally trusts the payload, forwarding it to the Home Assistant server as the device’s real location. The flaw, classified as CWE‑926, allows an attacker to spoof geographic coordinates and manipulate zone‑based automations such as unlocking doors, disarming alarms, or opening garages. The result is a severe compromise of the user’s physical environment because the application cannot distinguish authentic GPS data from forged input.

Affected Systems

All installations of the Home Assistant Android client earlier than version 2026.5.3 are affected. The vulnerability exists in the core component of the open‑source platform and impacts any device running the buggy client, regardless of the server instance’s configuration.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate‑to‑high severity. EPSS is not available, and the vulnerability is not listed in the Citation requires local presence on the device; a malicious app with no runtime permissions can broadcast a fake location. Once the broadcast is accepted, the attacker can induce realistic automation triggers, effectively compromising the integrity of the user’s secured spaces.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

home-assistant

core

affected

Version	Status	Constraints
`< 2026.5.3`	affected	—

No data.

Vendor Product Confidence Versions

Home-assistant

Core

100%

Version	Status	Scheme	Platform
`[0,2026.5.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Home Assistant to version 2026.5.3 or later, which removes the exported receiver.
Uninstall or disable the vulnerable Android client until the patch can be applied.
Disable mock location functionality in the device’sing of location broadcasts.

Generated by OpenCVE AI on June 24, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00114.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/home-assistant/android/pull/6837
https://github.com/home-assistant/core/security/advisories/GHSA-77r5-pw5w-mgj3

History

Tue, 23 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Home-assistant Home-assistant core
Vendors & Products		Home-assistant Home-assistant core

Tue, 23 Jun 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.5.3, the LocationSensorManager BroadcastReceiver is exported with no permission. Any installed app, with zero runtime permissions, can broadcast a forged Google Play Services LocationResult directly to it; the receiver trusts the extra and forwards it to the user's Home Assistant server as the device's real location. This bypasses Android's developer-mode "Mock Location" gate and allows a local malicious app to drive zone-based automations (unlock door / disarm alarm / open garage) by faking the user's GPS position. This vulnerability is fixed in 2026.5.3.
Title		Home Assistant: Exported BroadcastReceiver allows local apps to spoof device location
Weaknesses		CWE-926
References		https://github.com/home-assistant/android/pull/6837 https://github.com/home-assistant/core/security/advisories/GHSA-77r5-pw5w-mgj3
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N'}`

Subscriptions

Home-assistant Core

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-23T17:40:28.853Z

Updated: 2026-06-24T13:35:52.252Z

Reserved: 2026-06-12T18:42:02.223Z

Link: CVE-2026-54318

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T10:30:14Z

Weaknesses

CWE-926
Improper Export of Android Application Components

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object