CVE-2026-27981
Published: 03 March 2026
Summary
CVE-2026-27981 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Sysadminsmedia Homebox. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 21.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.
Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Rate limiter bypass via forged X-Real-IP/X-Forwarded-For headers directly enables unlimited authentication attempts for password guessing (T1110.001); the flaw exists in a public-facing web application and is exploited over the network (T1190).
NVD Description
HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3.…
more
r.RemoteAddr (TCP connection address). These headers were read unconditionally. An attacker connecting directly to Homebox could forge any value in X-Real-IP, effectively getting a fresh rate limit identity per request. There is a TrustProxy option in the configuration (Options.TrustProxy, default false), but this option was never read by any middleware or rate limiter code. Additionally, chi's middleware.RealIP was applied unconditionally in main.go, overwriting r.RemoteAddr with the forged header value before it reaches any handler. This vulnerability is fixed in 0.24.0.
Deeper analysisAI
CVE-2026-27981 is a vulnerability in HomeBox, a home inventory and organization system, affecting versions prior to 0.24.0. The issue resides in the authentication rate limiter (authRateLimiter), which tracks failed login attempts per client IP address. The client IP is determined by reading the X-Real-IP header first, followed by the first entry of the X-Forwarded-For header, and finally the r.RemoteAddr (TCP connection address). These headers are read unconditionally, enabling an attacker connecting directly to Homebox to forge the X-Real-IP value and obtain a fresh rate limit identity per request. The TrustProxy configuration option (default false) exists but is not read by the rate limiter or any middleware, and chi's middleware.RealIP is applied unconditionally in main.go, overwriting r.RemoteAddr with the forged header value before it reaches handlers.
An unauthenticated attacker with network access to the Homebox instance (AV:N/PR:N/UI:N) can exploit this vulnerability, though it requires high attack complexity (AC:H). By forging IP headers on each request, the attacker bypasses rate limiting on authentication attempts, facilitating brute-force attacks to guess credentials. This can result in unauthorized access, leading to high impacts on confidentiality and integrity (C:H/I:H) with no availability impact (A:N), as reflected in the CVSS v3.1 base score of 7.4.
The vulnerability is addressed in HomeBox version 0.24.0. Security practitioners are advised to upgrade to this version or later to mitigate the issue. Additional details are available in the GitHub Security Advisory at https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-j86g-v96v-jpp3.
Details
- CWE(s)