Cyber Resilience

CVE-2026-27796

MediumPublic PoC

Published: 07 March 2026

Published
07 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0003 7.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27796 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Homarr Homarr. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-27796 affects Homarr, an open-source dashboard, in versions prior to 1.54.0. The vulnerability stems from the integration.all tRPC endpoint being exposed as a publicProcedure, which permits unauthenticated users to retrieve a complete list of configured integrations. This exposure leaks sensitive metadata, including internal service URLs, integration names, and service types. Rated at CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), it maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-862 (Missing Authorization).

Any unauthenticated attacker with network access to a vulnerable Homarr instance can exploit this by directly querying the integration.all endpoint. Successful exploitation yields reconnaissance data on the target's internal services and configurations, potentially facilitating targeted follow-on attacks such as service enumeration, phishing, or exploitation of exposed endpoints. No user interaction, privileges, or special conditions are required beyond reaching the server.

The issue was addressed in Homarr version 1.54.0, as detailed in the project's security advisory (GHSA-m4vc-4prp-cvp7), release notes, and the patching commit. Security practitioners should upgrade to 1.54.0 or later and review exposed configurations for leaked metadata.

EU & UK References

Vulnerability details

Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as internal service…

more

URLs, integration names, and service types. This issue has been patched in version 1.54.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1590 Gather Victim Network Information Reconnaissance
Adversaries may gather information about the victim's networks that can be used during targeting.
Why these techniques?

Vuln in public-facing Homarr dashboard exposes unauthenticated endpoint leaking internal service URLs/configs, directly enabling T1190 (exploiting public app), T1590 (gathering victim network info via URLs), and T1046 (service enumeration from integration list).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33510Same product: Homarr Homarr
CVE-2025-67493Same product: Homarr Homarr
CVE-2025-64759Same product: Homarr Homarr
CVE-2026-30845Shared CWE-200, CWE-862
CVE-2025-22612Shared CWE-200, CWE-862
CVE-2026-45717Shared CWE-862
CVE-2026-28276Shared CWE-200, CWE-862
CVE-2024-13796Shared CWE-200
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862

Affected Assets

homarr
homarr
≤ 1.54.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the integration.all tRPC endpoint so unauthenticated callers cannot retrieve integration metadata.

prevent

Explicitly limits actions permitted without identification or authentication, blocking public exposure of the integration.all endpoint.

prevent

Ensures the integration.all procedure is not reachable by principals that have not been granted any privileges on integration data.

References