Critical Vulnerability in Home Assistant Apps Allows User Takeover

Critical Vulnerability in Home Assistant Apps Allows User Takeover

First seen 1 Jun 2026, 15:24 UTC Heise.Denvd.nist.gov 73% similarity 72.0

Article Content

Browse articles
ThreatCluster

A security vulnerability in the Home Assistant companion apps for Android and iOS allows attackers to intercept access tokens, enabling full control over user instances. The flaw, identified as CVE-2026-44698, has a CVSS score of 8.3, indicating a high risk. Attackers can exploit this vulnerability through Cross-Origin IFrame Token Exfiltration via JavaScript, where a malicious iframe can execute arbitrary code and extract the logged-in user's access token. Users of the affected apps are advised to update to versions 2026.4.1 for iOS and 2026.4.4 for Android to mitigate the risk. If unable to update, users should remove any webpage cards from their dashboards that link to third-party sites. The vulnerability was publicly disclosed on May 29, 2026, following a security advisory from the developers.

Key Points: • CVE-2026-44698 exposes a critical vulnerability in Home Assistant apps for Android and iOS. • Attackers can exploit the flaw to take over user instances by intercepting access tokens. • Users must update to the latest app versions or remove third-party webpage cards to mitigate risks.

ThreatCluster AI

Timeline

2026-05-29
CVE-2026-44698 published
The vulnerability was disclosed, allowing attackers to exploit access tokens in Home Assistant apps.
nvd.nist.gov
2026-06-01
Security advisory issued
Heise.De reported on the vulnerability, urging users to update their apps immediately to prevent takeovers.
Heise.De

Community

Browse all →