CVE-2023-41894

Name of the Vulnerable Software and Affected Versions Home Assistant versions prior to 2023.9.0

Description The issue affects Home Assistant, an open-source home automation system. Webhooks in the webhook component can be triggered via the *.ui.nabu.casa URL without authentication, even when marked as only accessible from the local network. This is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant.

Recommendations For versions prior to 2023.9.0, upgrade to version 2023.9.0 to address the issue. As a temporary workaround, consider restricting access to the webhook component until the upgrade is applied.