PT-2026-44845 · Home Assistant · Home Assistant Companion App For Ios+1

Kwstubbs

Published

2026-05-29

Updated

2026-06-01

CVE-2026-44698

CVSS v3.1

8.3

High

Vector

AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Home Assistant Companion app for iOS versions prior to 2026.4.1 Home Assistant Companion app for Android versions prior to 2026.4.4

Description The Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView. On Android, this is via 'window.externalApp', and on iOS, it is via 'webkit.messageHandlers.getExternalAuth', 'revokeExternalAuth', and 'externalBus'. Two flaws allow this bridge to be accessed by all frames, including cross-origin iframes. Additionally, unsanitized interpolation of the JavaScript callback identifier enables a cross-origin iframe rendered within the app to execute arbitrary JavaScript in the main-frame origin of the Home Assistant frontend, which can be used to exfiltrate the signed-in user's access token.

Recommendations Update the iOS app to version 2026.4.1. Update the Android app to version 2026.4.4.

Fix

Origin Validation Error

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-346CWE-940CWE-749CWE-94

Related Identifiers

CVE-2026-44698

Affected Products

Home Assistant Companion For Android

Home Assistant Companion App For Ios

PT-2026-44845 · Home Assistant · Home Assistant Companion App For Ios+1

CVE-2026-44698

Weakness Enumeration

Related Identifiers

Affected Products

References · 4