PT-2026-53283 · Unknown · Home Assistant
Kaueraal
·
Published
2026-06-29
·
Updated
2026-06-29
·
CVE-2026-55844
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Home Assistant versions prior to 2025.5.0
Description
The iOS companion app fails to respect the SSID allowlist for internal networks. While the app typically uses the Service Set Identifier (SSID)—the public name of a wireless network—to determine when to use the internal URL, it incorrectly falls back to the internal URL when no other URL is available. This behavior can lead to the exposure of the user's authentication token when the device is connected to an insecure network.
Recommendations
Update to version 2025.5.0.
Fix
Cleartext Transmission of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Home Assistant