Platform
python
Component
home-assistant-cli
Fixed in
1.0.1
1.0.0
CVE-2026-40602 describes a Remote Code Execution (RCE) vulnerability in the Home Assistant Command-line interface (hass-cli), specifically affecting versions prior to 1.0.0. This flaw arises from the use of an unrestricted environment when rendering Jinja2 templates, allowing attackers to execute arbitrary Python code. The vulnerability was publicly disclosed on April 21, 2026, and a fix is available in version 1.0.0.
The unrestricted Jinja2 template rendering allows attackers to bypass intended security restrictions within the hass-cli tool. By crafting malicious Jinja2 templates, an attacker can gain access to Python's internals and execute arbitrary code on the system where hass-cli is running. This could lead to complete system compromise, including data theft, privilege escalation, and the installation of malware. The ability to import arbitrary modules and access system resources significantly expands the potential impact of this vulnerability. The provided example demonstrates how an attacker could leverage import to execute operating system commands, highlighting the severity of the issue.
CVE-2026-40602 is currently not listed on the CISA KEV catalog. The EPSS score is pending evaluation. Public proof-of-concept exploits are known to exist, demonstrating the feasibility of exploiting this vulnerability. The vulnerability was publicly disclosed on April 21, 2026, indicating a relatively recent discovery.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40602 is to upgrade to version 1.0.0 of the Home Assistant Command-line interface. This version includes a sandboxed Jinja2 environment, preventing the unrestricted code execution that leads to the vulnerability. If upgrading is not immediately feasible, consider restricting access to the hass-cli tool and carefully reviewing any user-supplied templates. While a WAF or proxy cannot directly mitigate this vulnerability, they can be configured to monitor for suspicious template execution patterns. There are no specific Sigma or YARA rules available at this time, but monitoring Python process execution for unusual activity is recommended.
Update to version 1.0.0 or higher of home-assistant-cli to mitigate the vulnerability. This version uses a sandboxed Jinja2 environment, restricting access to Python internals and limiting the scope of templating.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40602 is a Remote Code Execution vulnerability in the Home Assistant Command-line interface (hass-cli) versions before 1.0.0, allowing attackers to execute arbitrary Python code through unrestricted Jinja2 template rendering.
You are affected if you are using Home Assistant Command-line interface (hass-cli) version 1.0.0 or earlier. Check your version and upgrade immediately.
Upgrade to version 1.0.0 of the Home Assistant Command-line interface. This version includes a sandboxed Jinja2 environment to prevent code execution.
Public proof-of-concept exploits are known, suggesting the potential for active exploitation. Monitor your systems for suspicious activity.
Refer to the official Home Assistant security advisories and release notes for details and updates regarding CVE-2026-40602.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.