CVE-2026-27796
Published: 07 March 2026
Summary
CVE-2026-27796 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Homarr Homarr. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-27796 affects Homarr, an open-source dashboard, in versions prior to 1.54.0. The vulnerability stems from the integration.all tRPC endpoint being exposed as a publicProcedure, which permits unauthenticated users to retrieve a complete list of configured integrations. This exposure leaks sensitive metadata, including internal service URLs, integration names, and service types. Rated at CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), it maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-862 (Missing Authorization).
Any unauthenticated attacker with network access to a vulnerable Homarr instance can exploit this by directly querying the integration.all endpoint. Successful exploitation yields reconnaissance data on the target's internal services and configurations, potentially facilitating targeted follow-on attacks such as service enumeration, phishing, or exploitation of exposed endpoints. No user interaction, privileges, or special conditions are required beyond reaching the server.
The issue was addressed in Homarr version 1.54.0, as detailed in the project's security advisory (GHSA-m4vc-4prp-cvp7), release notes, and the patching commit. Security practitioners should upgrade to 1.54.0 or later and review exposed configurations for leaked metadata.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10114
Vulnerability details
Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as internal service…
more
URLs, integration names, and service types. This issue has been patched in version 1.54.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public-facing Homarr dashboard exposes unauthenticated endpoint leaking internal service URLs/configs, directly enabling T1190 (exploiting public app), T1590 (gathering victim network info via URLs), and T1046 (service enumeration from integration list).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on the integration.all tRPC endpoint so unauthenticated callers cannot retrieve integration metadata.
Explicitly limits actions permitted without identification or authentication, blocking public exposure of the integration.all endpoint.
Ensures the integration.all procedure is not reachable by principals that have not been granted any privileges on integration data.