Home / Vulnerability Intelligence / CVE-2026-34205

CVE-2026-34205 - Vulnerability Analysis

CriticalCVSS: 9.6

Last Updated: March 30, 2026

Home Assistant - Broken Access Control

Published: March 27, 2026Updated: March 30, 2026

Overview

Home Assistant apps configured with host network mode expose unauthenticated endpoints on the internal Docker bridge interface, allowing any device on the local network to access these endpoints without authentication, exploit requires network access.

Severity & Score

Severity: Critical

CVSS Score: 9.6

EPSS Score: 1.9%(Probability of exploitation in next 30 days)

Impact

Any device on the local network can access unauthenticated endpoints, potentially leading to unauthorized control or information disclosure.

Mitigation

Update to Home Assistant Supervisor 2026.03.02 or later.

References

https://github.com/home-assistant/core/security/advisories/GHSA-gh5m-4m97-c95h

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 28, 2026

🚨 CVE-2026-34205 (CRITICAL): Home Assistant OS ≤17.1 apps in host network mode expose unauthenticated endpoints to local networks. Upgrade to Supervisor 2026.03.02, segment networks, and review configs now! https://radar.offseq.com/threat/cve-2026-34205-cwe-923-improper-restriction-of-com-dfad0bbb #OffSeq #HomeAssistant #IoTSecurity

View original post

Related Resources

Details

CVE ID: CVE-2026-34205
Severity: Critical
CVSS Score: 9.6
Type: broken_access_control
Status: unconfirmed
EPSS: 1.9%
Social Posts: 1

CWE

CWE-923

CVSS Metrics

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

1.9%Probability of exploitation in the next 30 days