CVE-2026-55844 in coreinfo

Summary

by MITRE • 06/29/2026

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2025.5.0, The iOS companion app ignores the SSID allowlist for internal networks. The app uses SSID to detect when to use the internal URL, but whenever the app cannot find any other URL to be used, it fallbacks to the internal URL as well, which can expose user's token when connected to a not secure network. This vulnerability is fixed in 2025.5.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 06/30/2026

The Home Assistant ecosystem represents a critical component in modern smart home deployments, providing users with local control and privacy-focused automation capabilities. The platform's architecture relies heavily on secure communication channels between various components including mobile applications and the central home assistant server. When considering the security implications of mobile companion applications, it becomes essential to understand how network detection mechanisms can inadvertently create security vulnerabilities. The iOS companion application serves as a primary interface for users to interact with their home automation systems remotely, making its security posture particularly critical in protecting user data and system integrity.

The technical flaw manifests in the iOS companion app's implementation of SSID allowlist functionality, which is designed to determine when to utilize internal network connections versus external ones. This vulnerability stems from improper fallback logic within the application's network detection mechanism, where the system fails to properly respect the configured SSID allowlist restrictions. When the application cannot identify an appropriate URL for connection, it automatically defaults to using the internal URL regardless of network security status. This behavior creates a significant security gap as users who are connected to untrusted networks may unknowingly transmit sensitive authentication tokens and other confidential data through internal network connections that should only be accessible within secure local environments.

The operational impact of this vulnerability extends beyond simple privacy concerns to encompass potential system compromise scenarios. When connected to insecure networks such as public wifi hotspots or unsecured corporate networks, the application's automatic fallback to internal URLs exposes user authentication tokens and potentially sensitive home automation configuration data. This represents a direct violation of network segmentation principles and can lead to unauthorized access to home automation systems, enabling attackers to manipulate connected devices, monitor activities, or exfiltrate personal information. The vulnerability particularly affects users who rely on the companion app for remote access while traveling or working in environments where they may inadvertently connect to untrusted networks.

This security weakness aligns with common vulnerability classifications including cwe-284 which addresses improper access control and cwe-310 which covers cryptographic issues related to authentication. The flaw also demonstrates characteristics consistent with attack patterns described in the mitre att&ck framework under initial access and credential access phases, where adversaries can leverage network-based attacks to obtain valid credentials for system access. The vulnerability represents a failure in proper network context awareness and secure by default implementation practices that should be fundamental to mobile applications handling sensitive user data. Organizations implementing home automation systems using Home Assistant should consider this vulnerability as part of their overall security assessment, particularly when evaluating the security posture of mobile endpoints within their environments.

The mitigation strategy involves updating to version 2025.5.0 or later where the application properly respects SSID allowlist configurations and implements correct fallback logic for network connections. Users should immediately apply this update to ensure their systems maintain proper security boundaries between internal and external network communications. Additionally, system administrators should review their network segmentation policies and consider implementing additional monitoring controls to detect unusual patterns of internal network access from unexpected external locations. The fix addresses the core architectural issue by ensuring that when no suitable external URL can be determined, the application maintains its security posture rather than automatically defaulting to potentially insecure internal connections.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

06/29/2026

Moderation

accepted

CPE

ready

EPSS

0.00161

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!