Description
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2025.5.0, The iOS companion app ignores the SSID allowlist for internal networks. The app uses SSID to detect when to use the internal URL, but whenever the app cannot find any other URL to be used, it fallbacks to the internal URL as well, which can expose user's token when connected to a not secure network. This vulnerability is fixed in 2025.5.0.
Published: 2026-06-29
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The iOS Companion App for Home Assistant disregards the internal SSID allowlist when determining whether to use an internal URL. If the app cannot find another URL, it automatically falls back to the internal URL, potentially transmitting the user's access token and sensor data over an unsecured network. This flaw limits confidentiality and could expose sensitive information. The weakness is classified as CWE‑319, an insecure fallback that leaks credentials.

Affected Systems

The vulnerability affects Home Assistant core versions prior to 2025.5.0 on any platform that uses the iOS Companion App. Any user running an older Home Assistant Core installation with the companion app could be impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high level of overall risk, though the EPSS score is not provided. The flaw is not listed in the CISA KEV catalog. Exploitation requires the device to be connected to a non‑secure network; an attacker within range could trigger the fallback and capture the transmitted token, leading to unauthorized access to the Home Assistant instance and its sensor data. Because the flaw is triggered by network conditions rather than a sophisticated attack, it may be relatively easy for an attacker in the same local network to abuse it.

Generated by OpenCVE AI on June 29, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Home Assistant Core to version 2025.5.0 or later to eliminate the fallback flaw.
  • Ensure the iOS Companion App is updated to the latest version that enforces the SSID allowlist and verify the removal of the fallback behavior.
  • Configure network settings to prevent the device from connecting to insecure networks; use WPA2 or WPA3 secured Wi‑Fi or a VPN to protect traffic from interception.

Generated by OpenCVE AI on June 29, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Home-assistant
Home-assistant core
Vendors & Products Home-assistant
Home-assistant core

Mon, 29 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2025.5.0, The iOS companion app ignores the SSID allowlist for internal networks. The app uses SSID to detect when to use the internal URL, but whenever the app cannot find any other URL to be used, it fallbacks to the internal URL as well, which can expose user's token when connected to a not secure network. This vulnerability is fixed in 2025.5.0.
Title Home Assistant: iOS Companion App ignores internal SSID allowlist for connections – possible leak of access token and sensor data
Weaknesses CWE-319
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Home-assistant Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-29T14:19:11.989Z

Reserved: 2026-06-17T16:29:38.865Z

Link: CVE-2026-55844

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T21:30:03Z

Weaknesses
  • CWE-319

    Cleartext Transmission of Sensitive Information