Home / Vulnerability Intelligence / CVE-2026-40196

CVE-2026-40196 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: April 17, 2026

HomeBox - Broken Access Control

Published: April 17, 2026Updated: April 17, 2026Remote Exploitable

Overview

HomeBox < 0.25.0 contains a broken access control vulnerability caused by improper validation of defaultGroup ID in the API when X-Tenant header is omitted, letting users perform unauthorized CRUD operations on groups, exploit requires user to be invited to a group.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Users can bypass access controls to perform full CRUD operations on groups they should no longer access, risking unauthorized data modification.

Mitigation

Update to version 0.25.0 or later.

References

https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-6pvm-v73p-p6m9
https://github.com/sysadminsmedia/homebox/releases/tag/v0.25.0

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-40196
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: new

CWE

CWE-708

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N