CVE-2026-40196

Name of the Vulnerable Software and Affected Versions HomeBox versions prior to 0.25.0

Description An issue exists where the defaultGroup ID remains permanently assigned to a user after their access to a group is revoked. Although the web interface enforces this revocation, the API does not properly validate the defaultGroup value when the 'X-Tenant' header is omitted. This allows a user to perform full CRUD (Create, Read, Update, Delete) operations on the group's collections via the API, bypassing access controls.

Recommendations Update to version 0.25.0.