CVE-2026-54317 | Home Assistant is open source home automation software that … | CVSS 7.6 HIGH

Description

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant/components/konnected/__init__.py), that is marked as not requiring authentication (requires_auth = False). A comment next to that line says auth is instead handled "via the access token from configuration." That promise is only half true. Write requests (POST and PUT) are handled by update_sensor(), which does check the request's Authorization: Bearer <token> header against the integration's stored access tokens (using hmac.compare_digest). Read requests (GET) are handled by a separate get() method that has no authentication check at all. This vulnerability is fixed in 2026.6.0.

Metadata

CVE ID: CVE-2026-54317
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 18:42 UTC
Published: 2026-06-23 17:39 UTC
Last updated: 2026-06-23 17:39 UTC
Primary CWE: CWE-200
CWE-200: Exposure of Sensitive Information to an Unauthorize…
Vendor / Product: home-assistant / core
Sources: cve.org · NVD

Severity & Metrics

7.6 HIGH CVSS 3.1

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Affected products (1)

Vendor	Product	Platform	Versions
home-assistant	core	—	< 2026.6.0

Weakness (CWE)

CWE	Source	Description
CWE-200	cna	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-306	cna	CWE-306: Missing Authentication for Critical Function

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.6	HIGH	3.1	cna	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

References (1)

https://github.com/home-assistant/core/security/advisories/GHSA-x84v-g949-293w https://github.com/home-assistant/core/security/advisories/GHSA-x84v-g949-293w