PT-2026-41449 · Home Assistant · Home Assistant Community Store
Lyghtnox
·
Published
2026-05-16
·
Updated
2026-05-27
·
CVE-2021-47942
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Home Assistant Community Store (HACS) version 1.10.0
Description
A path traversal issue allows unauthenticated attackers to read sensitive files by traversing directories via the '/hacsfiles/' endpoint. This can be used to retrieve the
.storage/auth file, which contains user credentials and refresh tokens, enabling the creation of valid JWT (JSON Web Tokens) to gain administrative access to Home Assistant instances.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Home Assistant Community Store