High-Risk Vulnerabilities in Home Assistant Exposed

On June 23, 2026, two critical vulnerabilities were disclosed in Home Assistant, an open-source automation platform. CVE-2026-54317 allows unauthorized access to alarm panel status and device topology via a misconfigured API endpoint. CVE-2026-54318 enables local malicious apps to spoof GPS locations, potentially triggering unauthorized automations like unlocking doors. Both vulnerabilities were addressed in the latest updates: Assistant OS version 18 and Assistant Companion version 2026.5.3. Users are urged to update their systems immediately to mitigate risks. The vulnerabilities were rated high risk, with CVSS scores of 7.6 and 7.1, respectively. The issues affect all versions prior to the updates, emphasizing the need for prompt action.

Key Points: • Two high-risk vulnerabilities in Home Assistant were disclosed on June 23, 2026. • CVE-2026-54317 allows unauthorized access to sensitive information via an API flaw. • CVE-2026-54318 enables local apps to spoof GPS locations, risking unauthorized automations.