CVE-2026-34205 CRITICAL

CVE-2026-34205: Home Assistant: Unauthenticated App (Add-on) Endpoints Exposed to Local Network via Host Network Mode

Vendor Home-Assistant
Product Home Assistant Operating System
Weakness CWE-923
Published March 27, 2026
Last update April 1, 2026

CVSS base score

9.7/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Home Assistant is open source home automation software that puts local control and privacy first. Home Assistant apps (formerly add-ons) configured with host network mode expose unauthenticated endpoints bound to the internal Docker bridge interface to the local network. On Linux, this configuration does not restrict access to the app as intended, allowing any device on the same network to reach these endpoints without authentication. Home Assistant Supervisor 2026.03.02 addresses the issue.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
April 1, 2026 Record updated