Security

Home Assistant takes its security seriously. We will do everything in our power to ensure that our users are safe.

This page is intended to provide information about how to report security issues with us, and how they are handled. Additionally, it provides details about reported security issues we have handled in the past.

Reporting a vulnerability

So, you have found a security vulnerability in Home Assistant? Please, be sure to responsibly disclose it to us by reporting a vulnerability using GitHub’s Security Advisory.

DO NOT MAKE A PUBLIC ISSUE FOR SECURITY VULNERABILITIES!

We are mostly interested in reports by actual Home Assistant users that are familiar with the platform, but all high quality contributions are welcome. Please do your best to describe a clear and realistic impact for your report.

For the sake of the security of our users, please 🙏 do not make vulnerabilities public without notifying us and giving us at least 90 days to release a fixed version. We will do our best to respond to your report within 7 days and also to keep you informed of the progress of our efforts to resolve the issue, but understand that Home Assistant, like many open source projects, is relying heavily on volunteers that aren’t full-time resources. We may not be able to respond as quickly as you would like due to other responsibilities.

If you are going to write about Home Assistant’s security, please get in touch, so we can ensure that all claims are correct.

Non-qualifying vulnerabilities

We will not accept reports of vulnerabilities of the following types:

  • Reports from automated tools or scanners.
  • Theoretical attacks without proof of exploitability.
  • Attacks that are the result of a third-party application or library (these should instead be reported to the library maintainers).
  • Social engineering.
  • Attacks that require the user to have access to the Home Assistant host system.
  • Attacks involving physical access to a user’s device, or involving a device or network that’s already seriously compromised (like, man-in-the-middle).
  • Attacks that require the user to install a malicious other software, like a third-party integration, add-on, or plugin.
  • Attacks that the user can only perform against their own setup.
  • Privilege escalation attacks for logged in users. Home Assistant assumes every user is trusted and does not enforce user privileges. It assumes every logged in user has the same access as an owner account (more information).

Supported versions

We only accept reports against the latest stable & official versions of Home Assistant or any versions beyond that are currently in development or beta test. The latest version can be found on our GitHub releases page.

We do not accept reports against forks of Home Assistant.

Severity scoring

If you are familiar with CVSS3.1, please provide the vulnerability score in your report in the shape of a vector string. There’s a calculator that can be helpful. If you are unsure how or unable to score a vulnerability, state that in your report, and we will look into it.

If you intend to provide a score, please familiarize yourself with CVSS first (we strongly recommend reading the Specification and Scoring Guide), as we will not accept reports that use it incorrectly.

Public disclosure & CVE assignment

We will publish GitHub Security Advisories and through those, will also request CVEs, for valid vulnerabilities that meet the following criteria:

  • The vulnerability is in Home Assistant itself, not a third-party library.
  • The vulnerability is not already known to us.
  • The vulnerability is not already known to the public.
  • CVEs will only be requested for vulnerabilities with a severity of medium or higher.

Bounties

As an open source project, Home Assistant cannot offer bounties for security vulnerabilities. However, if so desired, we of course will credit the discoverer of a vulnerability.

Past advisories

The following is a list of past security advisories that have been published by the Home Assistant project.

2023-12-14: User accounts disclosed to unauthenticated actors on the LAN
Severity: Moderate (CVSS: 4.2)
Detailed information: Security advisory
Assigned CVE: CVE-2023-50715
Discovered by: r01k
Fixed in: Home Assistant Core 2023.12.3

2023-10-19: Actions expression injection in helpers/version/action.yml
Severity: Low (This is an internal project)
Detailed information: Security advisory
Discovered by: Jorge Rosillo, Peter Stöckli (GitHub Security Lab)
Fixed in: Home Assistant GitHub Actions released on September 5, 2023

2023-10-19: Arbitrary URL load in Android WebView in MyActivity.kt
Severity: High (CVSS: 8.6)
Detailed information: Security advisory
Assigned CVE: CVE-2023-41898
Discovered by: Tony Torralba (GitHub Security Lab)
Fixed in: Home Assistant for Android 2023.9.2

2023-10-19: Partial Server-Side Request Forgery in Core
Severity: Low
Detailed information: Security advisory
Assigned CVE: CVE-2023-41899
Discovered by: Alvaro Muñoz (GitHub Security Lab)
Fixed in: Home Assistant Core 2023.9

2023-10-19: Client-Side Request Forgery in iOS/macOS native Apps
Severity: High (CVSS: 8.6)
Detailed information: Security advisory
Assigned CVE: CVE-2023-44385
Discovered by: Alvaro Muñoz (GitHub Security Lab)
Fixed in: Home Assistant for iOS 2023.7

2023-10-19: Account takeover via auth_callback login
Severity: Low
Detailed information: Security advisory
Assigned CVE: CVE-2023-41893
Discovered by: Cure53 (Funded by Nabu Casa)
Fixed in: Home Assistant Core 2023.9

2023-10-19: Full takeover via javascript URI in auth_callback login
Severity: Critical
Detailed information: Security advisory
Assigned CVE: CVE-2023-41895
Discovered by: Cure53 (Funded by Nabu Casa)
Fixed in: Home Assistant Core 2023.9

2023-10-19: Local-only webhooks externally accessible via SniTun
Severity: Low
Detailed information: Security advisory
Assigned CVE: CVE-2023-41894
Discovered by: Cure53 (Funded by Nabu Casa)
Fixed in: Home Assistant Core 2023.9

2023-10-19: Fake WS server installation permits full takeover
Severity: Critical
Detailed information: Security advisory
Assigned CVE: CVE-2023-41896
Discovered by: Cure53 (Funded by Nabu Casa)
Fixed in: Home Assistant Core 2023.9 & home-assistant-js-websocket 8.2.0 (npm)

2023-10-19: Lack of XFO header allows clickjacking
Severity: Critical
Detailed information: _Security advisory
Assigned CVE: CVE-2023-41897
Discovered by: Cure53 (Funded by Nabu Casa)
Fixed in: Home Assistant Core 2023.9

2023-03-08: Authentication bypass Supervisor API
Severity: Critical (CVSS: 10.0)
Detailed information: Security advisory
Assigned CVE: CVE-2023-27482
Discovered by: Joseph Surin from elttam
Fixed in: Home Assistant Core 2023.3.2, Home Assistant Supervisor 2023.03.3

2017-10-11: Cross-site scripting in Markdown output
Severity: Medium (CVSS: 6.1)
Detailed information: Pull request
Assigned CVE: CVE-2017-16782
Discovered by: Marcin Teodorczyk from intive.com
Fixed in: Home Assistant Core 0.57


This security page is heavily inspired by the one from OctoPrint. ❤️ If you are into 3D printing, check them out!