Back

Critical Vulnerability in Home Assistant Apps Allows User Takeover

Severity: High (Score: 72.0)

Sources: Heise.De, nvd.nist.gov

Published: 2026-06-01 · Updated: 2026-06-01

Keywords: assistant, apps, android, companion, update, cve-2026-44698, home

Severity indicators: CVE:CVE-2026-44698, CVE:CVE-2026-44698, CVE:CVE-2026-44698

Summary

A security vulnerability in the Home Assistant companion apps for Android and iOS allows attackers to intercept access tokens, enabling full control over user instances. The flaw, identified as CVE-2026-44698, has a CVSS score of 8.3, indicating a high risk. Attackers can exploit this vulnerability through Cross-Origin IFrame Token Exfiltration via JavaScript, where a malicious iframe can execute arbitrary code and extract the logged-in user's access token. Users of the affected apps are advised to update to versions 2026.4.1 for iOS and 2026.4.4 for Android to mitigate the risk. If unable to update, users should remove any webpage cards from their dashboards that link to third-party sites. The vulnerability was publicly disclosed on May 29, 2026, following a security advisory from the developers. Key Points: • CVE-2026-44698 exposes a critical vulnerability in Home Assistant apps for Android and iOS. • Attackers can exploit the flaw to take over user instances by intercepting access tokens. • Users must update to the latest app versions or remove third-party webpage cards to mitigate risks.

Detailed Analysis

**Impact** Users of the Home Assistant companion apps on Android and iOS are affected, potentially allowing attackers to take over entire Assistant instances. The vulnerability exposes access tokens, enabling attackers to impersonate users with their privileges, which may include full administrative control. The impact spans all sectors and geographies where the Assistant apps are used, particularly those embedding third-party web content in dashboards. No specific numbers of affected users or incidents have been reported. **Technical Details** The attack exploits a Cross-Origin IFrame Token Exfiltration vulnerability (CVE-2026-44698, CVSS 8.3) in the JavaScript bridge of the in-app WebView component. Cross-origin iframes embedded in the dashboard can execute arbitrary JavaScript in the main app context, leaking access tokens. This occurs due to unsanitized callback identifiers and exposure of the JavaScript bridge (window.externalApp on Android, webkit.messageHandlers on iOS). The attack vector involves a victim loading a malicious or compromised third-party webpage in an iframe within the Assistant dashboard. No malware or specific infrastructure indicators were provided. **Recommended Response** Apply the security updates immediately: version 2026.4.4 for Android and 2026.4.1 for iOS, which fix the vulnerability. Until updates are applied, remove any third-party webpage cards or iframes from dashboards to prevent token exfiltration. Monitor for unusual API access patterns that could indicate token misuse. No additional detection signatures or IOCs are currently available.

Source articles (2)

  • Home Assistant: Smartphone apps allow takeover by attackers — Heise.De · 2026-06-01
    Anyone controlling Assistant with the companion apps on Android or iOS should apply the available update as soon as possible. The update for the apps closes a security vulnerability through which atta…
  • CVE-2026-44698 — nvd.nist.gov · 2026-06-01
    Assistant is open source automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Assistant Companion apps for Android and iOS expose a Jav…

Timeline

  • 2026-05-29 — CVE-2026-44698 published: The vulnerability was disclosed, allowing attackers to exploit access tokens in Home Assistant apps.
  • 2026-06-01 — Security advisory issued: Heise.De reported on the vulnerability, urging users to update their apps immediately to prevent takeovers.

CVEs

  • CVE-2026-44698

Related entities

  • Data Breach (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • Cwe-79 - Cross-site Scripting (xss) (Cwe)
  • CWE-94 - Code Injection (Cwe)
  • german.it (Domain)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Android (Platform)
  • IOS (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed