CVE-2026-54318

Name of the Vulnerable Software and Affected Versions Home Assistant versions prior to 2026.5.3

Description The LocationSensorManager BroadcastReceiver is exported without requiring permissions. This allows any installed application on the device, regardless of its runtime permissions, to send a forged Google Play Services LocationResult to the receiver. The receiver trusts this data and forwards it to the Home Assistant server as the actual device location. This process bypasses the Android developer-mode Mock Location gate, enabling a malicious local application to trigger zone-based automations, such as unlocking doors, disarming alarms, or opening garages, by spoofing the GPS position.

Recommendations Update to version 2026.5.3.