प्लेटफ़ॉर्म
nodejs
घटक
homebox
में ठीक किया गया
0.25.1
CVE-2026-40196 is a high-severity vulnerability affecting HomeBox versions prior to 0.25.0. This flaw allows an attacker to bypass access controls via the API, potentially leading to unauthorized modification or deletion of home inventory data. The vulnerability stems from a persistent defaultGroup ID that isn't properly validated when the X-Tenant header is omitted. Users are advised to upgrade to version 0.25.0 to address this issue.
The primary impact of CVE-2026-40196 is the potential for unauthorized access and modification of home inventory data within HomeBox. An attacker who can exploit this vulnerability can perform full CRUD (Create, Read, Update, Delete) operations on the affected user's data, even after their access to the group has been revoked through the web interface. This could involve stealing sensitive information about household contents, altering records, or even deleting entire inventories. The lack of proper validation of the X-Tenant header significantly widens the attack surface, allowing attackers to potentially target multiple users if the defaultGroup ID assignment isn't handled correctly. This vulnerability highlights the importance of consistent access control enforcement across all interfaces, including APIs.
CVE-2026-40196 was publicly disclosed on 2026-04-17. There is currently no indication of active exploitation or a public proof-of-concept (POC). The vulnerability has not been added to the CISA KEV catalog. The CVSS score of 8.1 (HIGH) indicates a significant potential for exploitation if left unaddressed.
HomeBox users who have not upgraded to version 0.25.0 are at risk. This includes individuals and families relying on HomeBox for home inventory management. Specifically, deployments with custom API integrations or those lacking robust API security measures are particularly vulnerable.
• nodejs / server:
journalctl -u homebox | grep -i "defaultGroup"• nodejs / server:
ps aux | grep homebox | grep -i "X-Tenant"• generic web:
curl -I 'http://<homebox_ip>/api/groups/<group_id>' -H 'X-Tenant: ' # Check for 403 Forbidden without X-Tenantdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (9% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-40196 is to upgrade HomeBox to version 0.25.0 or later, which includes the necessary fix. If an immediate upgrade is not feasible, consider implementing a temporary workaround by strictly enforcing the X-Tenant header for all API requests. This can be achieved through API gateway configuration or custom middleware that rejects requests lacking the header. Additionally, review and audit all API access logs for suspicious activity, particularly focusing on requests that omit the X-Tenant header. After upgrading, confirm the fix by attempting to access group data via the API without the X-Tenant header and verifying that access is denied.
Actualice a la versión 0.25.0 o posterior para mitigar la vulnerabilidad. Esta actualización corrige la falta de validación del encabezado X-Tenant en la API, evitando que los usuarios accedan a los grupos a los que ya no tienen acceso.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-40196 is a high-severity vulnerability in HomeBox versions before 0.25.0 that allows attackers to bypass access controls via the API, potentially leading to unauthorized data modification.
You are affected if you are using HomeBox versions 0.0.0 through 0.24.9. Upgrade to 0.25.0 to mitigate the risk.
Upgrade HomeBox to version 0.25.0 or later. As a temporary workaround, strictly enforce the X-Tenant header for all API requests.
There is currently no indication of active exploitation or a public proof-of-concept.
Refer to the HomeBox project's official communication channels and security advisories for the latest information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।