CVE-2026-40602 MEDIUM

CVE-2026-40602: hass-cli: Handling of user-supplied Jinja2 templates

Vendor Home-Assistant-Ecosystem
Product home-assistant-cli
Weakness CWE-94 · Code injection
Published April 21, 2026
Last update April 21, 2026

CVSS base score

5.6/10
Attack vector Local
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

The Home Assistant Command-line interface (hass-cli) is a command-line tool for Home Assistant. Up to 1.0.0 of home-assitant-cli an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions. This gave users access to Python's internals and extended the scope of templating beyond the intended usage. This vulnerability is fixed in 1.0.0.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 21, 2026 Record updated