ID

VAR-202606-4313


CVE

CVE-2026-54317


TITLE

Home Assistant Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2026-021240

DESCRIPTION

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant/components/konnected/__init__.py), that is marked as not requiring authentication (requires_auth = False). A comment next to that line says auth is instead handled "via the access token from configuration." That promise is only half true. Write requests (POST and PUT) are handled by update_sensor(), which does check the request's Authorization: Bearer <token> header against the integration's stored access tokens (using hmac.compare_digest). Read requests (GET) are handled by a separate get() method that has no authentication check at all. This vulnerability is fixed in 2026.6.0. This vulnerability 2026.6.0 has been fixed.- All information handled by the software may be leaked to external parties. - Some of the information handled by the software may be overwritten. - Part of the software may stop working

Trust: 1.62

sources: NVD: CVE-2026-54317 // JVNDB: JVNDB-2026-021240

AFFECTED PRODUCTS

vendor:home assistantmodel:home-assistantscope:ltversion:2026.6.0

Trust: 1.0

vendor:home assistantmodel:home assistantscope:eqversion: -

Trust: 0.8

vendor:home assistantmodel:home assistantscope: - version: -

Trust: 0.8

vendor:home assistantmodel:home assistantscope:eqversion:2026.6.0

Trust: 0.8

sources: JVNDB: JVNDB-2026-021240 // NVD: CVE-2026-54317

CVSS

SEVERITY

CVSSV2

CVSSV3

security-advisories@github.com: CVE-2026-54317
value: HIGH

Trust: 1.0

OTHER: JVNDB-2026-021240
value: HIGH

Trust: 0.8

security-advisories@github.com: CVE-2026-54317
baseSeverity: HIGH
baseScore: 7.6
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 4.7
version: 3.1

Trust: 1.0

OTHER: JVNDB-2026-021240
baseSeverity: HIGH
baseScore: 7.6
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2026-021240 // NVD: CVE-2026-54317

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.0

problemtype:CWE-200

Trust: 1.0

problemtype:information leak (CWE-200) [ others ]

Trust: 0.8

problemtype: Lack of authentication for critical features (CWE-306) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2026-021240 // NVD: CVE-2026-54317

PATCH

title:Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN  Advisory  home-assistant/core  GitHuburl:https://github.com/home-assistant/core/security/advisories/GHSA-x84v-g949-293w

Trust: 0.8

sources: JVNDB: JVNDB-2026-021240

EXTERNAL IDS

db:NVDid:CVE-2026-54317

Trust: 2.6

db:JVNDBid:JVNDB-2026-021240

Trust: 0.8

sources: JVNDB: JVNDB-2026-021240 // NVD: CVE-2026-54317

REFERENCES

url:https://github.com/home-assistant/core/security/advisories/ghsa-x84v-g949-293w

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2026-54317

Trust: 0.8

sources: JVNDB: JVNDB-2026-021240 // NVD: CVE-2026-54317

SOURCES

db:JVNDBid:JVNDB-2026-021240
db:NVDid:CVE-2026-54317

LAST UPDATE DATE

2026-06-30T23:34:13.334000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2026-021240date:2026-06-29T02:11:00
db:NVDid:CVE-2026-54317date:2026-06-26T20:17:26.380

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2026-021240date:2026-06-29T00:00:00
db:NVDid:CVE-2026-54317date:2026-06-23T18:18:08.767