CVE Catalog

CVE-2026-54317

HighCVSS 7.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile — higher than 9% of all known CVEs

Summary

In Home Assistant before version 2026.6.0, the Konnected integration exposes an HTTP endpoint where GET requests require no authentication, contrary to the code comment. Write requests (POST/PUT) are token-protected, but read requests (GET) are completely unprotected.

Risk Assessment

An attacker can read Konnected sensor data without authentication, potentially leaking information about home automation state, such as door openings or motion.

Recommendation

Immediately update Home Assistant to version 2026.6.0 or later, which fixes this vulnerability.

Original NVD description (English source)

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant/components/konnected/__init__.py), that is marked as not requiring authentication (requires_auth = False). A comment next to that line says auth is instead handled "via the access token from configuration." That promise is only half true. Write requests (POST and PUT) are handled by update_sensor(), which does check the request's Authorization: Bearer <token> header against the integration's stored access tokens (using hmac.compare_digest). Read requests (GET) are handled by a separate get() method that has no authentication check at all. This vulnerability is fixed in 2026.6.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS