Platform
linux
Component
core
Fixed in
17.1.1
CVE-2026-34205 describes a critical vulnerability in Home Assistant Operating System. Specifically, Home Assistant apps configured with host network mode expose unauthenticated endpoints, potentially allowing unauthorized access from devices on the same network. This impacts versions 17.1 and earlier. The vulnerability is fixed in Home Assistant Supervisor version 2026.03.02.
CVE-2026-34205 affects the Home Assistant Operating System, allowing unauthenticated access to apps configured with 'host' network mode. On Linux systems, this misconfiguration allows any device on the local network to reach these endpoints without authentication. This could allow malicious actors to control connected devices, access sensitive data, or even execute unauthorized code. The vulnerability is rated 9.7 on the CVSS scale, indicating a critical risk. Exposure of these endpoints represents a serious security breach for users relying on Home Assistant for home automation and privacy.
This vulnerability is exploited by leveraging the incorrect 'host' network mode configuration within Home Assistant apps. An attacker on the same local network can scan for exposed endpoints and, due to the lack of authentication, directly access them. The simplicity of exploitation makes this vulnerability particularly concerning as it does not require advanced technical skills. The absence of authentication means any device with network access can potentially compromise the system.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The fix for CVE-2026-34205 was implemented in Home Assistant Supervisor version 2026.03.02. It is strongly recommended to update to this version or later as soon as possible. Additionally, review the network configuration of your Home Assistant apps and, where possible, restrict internal network access to trusted devices only. Consider using VLANs or network segmentation for an extra layer of security. Monitoring network activity for unauthorized access is also a recommended practice.
Update Home Assistant Supervisor to version 2026.03.02 or later. This corrects the exposure of unauthenticated endpoints on the local network when using host network mode.
Vulnerability analysis and critical alerts directly to your inbox.
Home Assistant is an open-source home automation software that allows you to control and automate various devices and services in your home.
Host network mode allows a Docker application to use the host's network interface directly, rather than Docker's internal network. This can improve performance but can also increase security risks if not configured correctly.
If you are using a version of Home Assistant Supervisor older than 2026.03.02, you are likely affected. Check your Supervisor version in the Home Assistant user interface.
If you cannot update immediately, consider restricting internal network access to trusted devices only and monitoring network activity.
You can find more information about this vulnerability on the Home Assistant website and in vulnerability databases such as NIST NVD.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.