Plattform
python
Komponente
home-assistant-cli
Behoben in
1.0.1
1.0.0
CVE-2026-40602 describes a Remote Code Execution (RCE) vulnerability in the Home Assistant Command-line interface (hass-cli), specifically affecting versions prior to 1.0.0. This flaw arises from the use of an unrestricted environment when rendering Jinja2 templates, allowing attackers to execute arbitrary Python code. The vulnerability was publicly disclosed on April 21, 2026, and a fix is available in version 1.0.0.
The unrestricted Jinja2 template rendering allows attackers to bypass intended security restrictions within the hass-cli tool. By crafting malicious Jinja2 templates, an attacker can gain access to Python's internals and execute arbitrary code on the system where hass-cli is running. This could lead to complete system compromise, including data theft, modification, or denial of service. The ability to import arbitrary modules and execute code significantly expands the potential attack surface, enabling attackers to perform actions beyond the intended scope of the tool. The vulnerability's impact is amplified if the hass-cli tool is run with elevated privileges.
CVE-2026-40602 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's ease of exploitation and the potential for significant impact. The vulnerability's description details a clear exploitation path, suggesting a relatively low barrier to entry for attackers. Active campaigns targeting this vulnerability are currently unconfirmed, but the potential for exploitation warrants careful monitoring.
Home Assistant users who are running versions of hass-cli prior to 1.0.0, particularly those who allow users to provide custom templates or scripts to the CLI tool, are at significant risk. Shared hosting environments where multiple users have access to the hass-cli tool are also vulnerable.
• linux / server:
ps aux | grep 'hass-cli template' | grep -i 'environ.__globals__'• python / supply-chain:
import os
import subprocess
# Example of a malicious template execution (DO NOT RUN)
subprocess.run(['echo', 'Malicious code executed!'], shell=True)• generic web: Inspect Home Assistant logs for any errors or unusual activity related to template rendering or Python execution.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-40602 is to upgrade to version 1.0.0 of the Home Assistant Command-line interface. This version addresses the unrestricted Jinja2 template rendering issue by implementing a sandboxed environment. If upgrading is not immediately feasible, consider restricting access to the hass-cli tool and carefully reviewing any user-supplied templates. While a direct WAF rule is unlikely to be effective due to the nature of the vulnerability, monitoring for suspicious Python code execution patterns within the system's logs can provide an early warning. After upgrading, confirm the fix by attempting to render a malicious Jinja2 template and verifying that it is properly sandboxed and does not execute arbitrary code.
Aktualisieren Sie auf Version 1.0.0 oder höher von home-assistant-cli, um die Schwachstelle zu beheben. Diese Version verwendet eine Jinja2-Sandbox-Umgebung, die den Zugriff auf die internen Funktionen von Python einschränkt und den Umfang der Vorlagenverarbeitung begrenzt.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40602 is a Remote Code Execution vulnerability in the Home Assistant Command-line interface (hass-cli) versions before 1.0.0, allowing attackers to execute arbitrary Python code through unrestricted Jinja2 template rendering.
You are affected if you are using Home Assistant Command-line interface (hass-cli) version 1.0.0 or earlier. Check your version and upgrade immediately.
Upgrade to version 1.0.0 of the Home Assistant Command-line interface. This version includes a sandboxed Jinja2 environment to prevent code execution.
Public proof-of-concept exploits are known, suggesting the potential for active exploitation. Monitor your systems for suspicious activity.
Refer to the official Home Assistant security advisories and release notes for details and updates regarding CVE-2026-40602.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.