CVE-2026-27981

Name of the Vulnerable Software and Affected Versions HomeBox versions prior to 0.24.0

Description HomeBox, a home inventory and organization system, has an issue where the authentication rate limiter (authRateLimiter) incorrectly identifies client IP addresses. The rate limiter uses the X-Real-IP header, the first entry in the X-Forwarded-For header, and the TCP connection address (r.RemoteAddr) to track failed login attempts per client. An attacker connecting directly to HomeBox can manipulate the X-Real-IP header to bypass the rate limiting mechanism and obtain a new identity with each request. The TrustProxy configuration option (Options.TrustProxy) is not utilized by the rate limiter or any middleware. The middleware.RealIP function in main.go unconditionally overwrites r.RemoteAddr with the forged header value. The API endpoint used for authentication is not explicitly mentioned, but the issue affects the rate limiting of authentication attempts. The vulnerable parameters are X-Real-IP and X-Forwarded-For.

Recommendations Update to version 0.24.0 or later.