PT-2023-21158 · Home Assistant · Home Assistant Supervised+1
Joseph Surin
·
Published
2023-03-08
·
Updated
2026-03-29
·
CVE-2023-27482
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Home Assistant Supervisor versions 2023.01.1 and earlier
Home Assistant Core versions prior to 2023.3.0
Description
A remotely exploitable issue has been discovered in Home Assistant, allowing unauthorized access to the Supervisor API by bypassing authentication. This affects all Home Assistant installations using the Supervisor 2023.01.1 or older, excluding installations like Home Assistant Container or Home Assistant Core in a Python environment. The issue has been mitigated in Supervisor version 2023.03.1 and Home Assistant Core 2023.3.0.
Recommendations
For Home Assistant Supervisor versions 2023.01.1 and earlier, upgrade to at least version 2023.03.1.
For Home Assistant Core versions prior to 2023.3.0, upgrade to at least version 2023.3.0.
As a temporary workaround, consider not exposing your Home Assistant instance to the internet until the issue is resolved.
Exploit
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Home Assistant Core
Home Assistant Supervised