Heise.De
Critical Vulnerability in Home Assistant Apps Allows User Takeover
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A security vulnerability in the Home Assistant companion apps for Android and iOS allows attackers to intercept access tokens, enabling full control over user instances. The flaw, identified as CVE-2026-44698, has a CVSS score of 8.3, indicating a high risk. Attackers can exploit this vulnerability through Cross-Origin IFrame Token Exfiltration via JavaScript, where a malicious iframe can execute arbitrary code and extract the logged-in user's access token. Users of the affected apps are advised to update to versions 2026.4.1 for iOS and 2026.4.4 for Android to mitigate the risk. If unable to update, users should remove any webpage cards from their dashboards that link to third-party sites. The vulnerability was publicly disclosed on May 29, 2026, following a security advisory from the developers.
Key Points: • CVE-2026-44698 exposes a critical vulnerability in Home Assistant apps for Android and iOS. • Attackers can exploit the flaw to take over user instances by intercepting access tokens. • Users must update to the latest app versions or remove third-party webpage cards to mitigate risks.