CVE-2026-27796
Published: 07 March 2026
Summary
CVE-2026-27796 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Homarr Homarr. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandates authorization checks before permitting access or data processing via external systems.
The control provides a mechanism for authorized users to determine authorization matches, preventing sharing without proper authorization verification.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Sanitizing equipment to remove specified information before off-site maintenance prevents exposure of sensitive information to unauthorized actors such as external maintenance personnel.
Requiring detailed, requestable records of every PII disclosure directly aids detection of unauthorized exposures of sensitive information.
Ensures missing authorization mechanisms for critical data functions are identified and remediated via policy.
Annual reviews and proposal scrutiny detect and block matching programs that would expose sensitive data to unauthorized recipients or systems.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public-facing Homarr dashboard exposes unauthenticated endpoint leaking internal service URLs/configs, directly enabling T1190 (exploiting public app), T1590 (gathering victim network info via URLs), and T1046 (service enumeration from integration list).
NVD Description
Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as internal service…
more
URLs, integration names, and service types. This issue has been patched in version 1.54.0.
Deeper analysisAI
CVE-2026-27796 affects Homarr, an open-source dashboard, in versions prior to 1.54.0. The vulnerability stems from the integration.all tRPC endpoint being exposed as a publicProcedure, which permits unauthenticated users to retrieve a complete list of configured integrations. This exposure leaks sensitive metadata, including internal service URLs, integration names, and service types. Rated at CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), it maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-862 (Missing Authorization).
Any unauthenticated attacker with network access to a vulnerable Homarr instance can exploit this by directly querying the integration.all endpoint. Successful exploitation yields reconnaissance data on the target's internal services and configurations, potentially facilitating targeted follow-on attacks such as service enumeration, phishing, or exploitation of exposed endpoints. No user interaction, privileges, or special conditions are required beyond reaching the server.
The issue was addressed in Homarr version 1.54.0, as detailed in the project's security advisory (GHSA-m4vc-4prp-cvp7), release notes, and the patching commit. Security practitioners should upgrade to 1.54.0 or later and review exposed configurations for leaked metadata.
Details
- CWE(s)