CVE-2026-27600 in homebox
Summary
by MITRE • 03/04/2026
HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although the application does not return the response body from the target service, its UI behavior differs depending on the network state of the destination. This creates a behavioral side-channel that enables internal service enumeration. This vulnerability is fixed in 0.24.0-rc.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/06/2026
The vulnerability identified as CVE-2026-27600 affects HomeBox, a home inventory and organization system that enables users to manage their household items and belongings. This flaw exists in versions prior to 0.24.0-rc.1 and specifically targets the application's notifier functionality, which is designed to alert users about various events through HTTP POST requests to external endpoints. The core issue lies in the complete absence of input validation for the URLs specified by authenticated users, allowing them to provide arbitrary hostnames, IP addresses, or port numbers without any restrictions or sanitization measures.
The technical implementation of this vulnerability creates a dangerous attack surface where authenticated users can manipulate the application to send HTTP POST requests to any destination they choose. This lack of validation stems from a fundamental security oversight in the application's architecture, where the system accepts user-provided URLs without performing any form of host or IP address validation. The vulnerability manifests through the application's network behavior, which exhibits different UI responses based on the network state of the destination host, creating a behavioral side-channel attack vector.
The operational impact of this vulnerability extends beyond simple request forwarding, as it enables internal service enumeration through the application's differential response behavior. Attackers can exploit this by sending requests to various internal services and observing how the application's UI behaves differently based on whether the target is reachable, responding, or unreachable. This creates a covert method for discovering internal services and potentially mapping network topology without direct network scanning. The behavioral side-channel is particularly dangerous because it allows attackers to infer information about internal systems simply by observing how the application responds to different network states, making it a sophisticated reconnaissance tool.
This vulnerability maps to CWE-20, "Improper Input Validation," which specifically addresses the lack of validation for inputs that can lead to various security issues. The attack pattern aligns with techniques described in the ATT&CK framework under T1046, "Network Service Scanning,' where adversaries use network reconnaissance to discover services and systems. The behavioral side-channel aspect also relates to T1082, "System Information Discovery," where attackers gather information about the target system's internal configuration and services. The vulnerability demonstrates how seemingly innocuous functionality can be weaponized when proper input validation and security controls are absent.
The mitigation for this vulnerability requires implementing strict input validation for all user-provided URLs, including hostname, IP address, and port restrictions. The fix in version 0.24.0-rc.1 should include comprehensive validation that prevents users from specifying arbitrary network destinations, particularly internal IP ranges or services that should remain protected. Organizations should also implement network segmentation and firewall rules to prevent the application from communicating with internal services, while ensuring that any notification functionality is properly sandboxed and restricted to approved external endpoints only. Regular security testing and input validation reviews should be conducted to prevent similar issues from emerging in other application components.