Home Assistant exposes unauthenticated endpoints

Patch now - CVE-2026-34205 is a critical network isolation flaw in Home Assistant Supervisor (before 2026.03.02) on Linux that grants unauthenticated remote access to internal app endpoints, enabling remote code execution. Update Supervisor to version 2026.03.02 immediately to block local network attacks.

Overview

A critical security vulnerability has been identified in Home Assistant, the popular open-source home automation platform. This flaw, tracked as CVE-2026-34205, involves a misconfiguration that can expose unauthenticated internal services to other devices on your local network, bypassing intended security controls.

Vulnerability Details

Home Assistant allows the use of “apps” (formerly add-ons) to extend functionality. When these apps are configured to use the host’s network mode for performance or compatibility, they are intended to be accessible only from the Home Assistant host machine itself. However, due to a security oversight on Linux systems, these app endpoints were incorrectly bound to the Docker bridge network interface. This interface is accessible to other devices on the same local network (like your Wi-Fi), effectively removing the intended network isolation. Any device on that network could then interact with these app endpoints without requiring any authentication.

Impact and Risk

This vulnerability is rated CRITICAL with a CVSS score of 9.6. The primary risk is that an attacker who gains access to your local network-whether via a compromised device, a guest, or a malicious insider-could directly communicate with these exposed Home Assistant apps. The impact depends entirely on the functionality of the specific apps running. This could range from information disclosure to full remote code execution, potentially allowing an attacker to manipulate smart home devices, access sensitive data, or establish a persistent foothold for further attacks. This type of local network breach is a common initial access vector, as seen in campaigns like those involving TernDoor and BruteEntry.

Remediation and Mitigation

The issue has been addressed in Home Assistant Supervisor version 2026.03.02.

Immediate Action Required:

1. Update Immediately: All Home Assistant users, especially those on Linux, must update the Supervisor to version 2026.03.02 or later. This update corrects the network binding behavior to enforce proper isolation.
2. Verify Update: Navigate to Settings > System > Updates in your Home Assistant dashboard. Apply the available Supervisor update and ensure your system reports version 2026.03.02.
3. Network Segmentation: As a general security best practice, consider placing your Home Assistant instance and IoT devices on a dedicated, segregated network VLAN. This limits the potential attack surface from other network devices.

This flaw highlights the importance of correct security boundary enforcement, a principle also critical in other Linux security frameworks like AppArmor. Applying the provided update is the only complete solution to this critical vulnerability.