CVE-2026-27981
Published: 03 March 2026
Summary
CVE-2026-27981 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Sysadminsmedia Homebox. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-27981 is a vulnerability in HomeBox, a home inventory and organization system, affecting versions prior to 0.24.0. The issue resides in the authentication rate limiter (authRateLimiter), which tracks failed login attempts per client IP address. The client IP is determined by reading the X-Real-IP header first, followed by the first entry of the X-Forwarded-For header, and finally the r.RemoteAddr (TCP connection address). These headers are read unconditionally, enabling an attacker connecting directly to Homebox to forge the X-Real-IP value and obtain a fresh rate limit identity per request. The TrustProxy configuration option (default false) exists but is not read by the rate limiter or any middleware, and chi's middleware.RealIP is applied unconditionally in main.go, overwriting r.RemoteAddr with the forged header value before it reaches handlers.
An unauthenticated attacker with network access to the Homebox instance (AV:N/PR:N/UI:N) can exploit this vulnerability, though it requires high attack complexity (AC:H). By forging IP headers on each request, the attacker bypasses rate limiting on authentication attempts, facilitating brute-force attacks to guess credentials. This can result in unauthorized access, leading to high impacts on confidentiality and integrity (C:H/I:H) with no availability impact (A:N), as reflected in the CVSS v3.1 base score of 7.4.
The vulnerability is addressed in HomeBox version 0.24.0. Security practitioners are advised to upgrade to this version or later to mitigate the issue. Additional details are available in the GitHub Security Advisory at https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-j86g-v96v-jpp3.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9346
Vulnerability details
HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3.…
more
r.RemoteAddr (TCP connection address). These headers were read unconditionally. An attacker connecting directly to Homebox could forge any value in X-Real-IP, effectively getting a fresh rate limit identity per request. There is a TrustProxy option in the configuration (Options.TrustProxy, default false), but this option was never read by any middleware or rate limiter code. Additionally, chi's middleware.RealIP was applied unconditionally in main.go, overwriting r.RemoteAddr with the forged header value before it reaches any handler. This vulnerability is fixed in 0.24.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Rate limiter bypass via forged X-Real-IP/X-Forwarded-For headers directly enables unlimited authentication attempts for password guessing (T1110.001); the flaw exists in a public-facing web application and is exploited over the network (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces limits on unsuccessful logon attempts; the CVE exists only because the rate-limiter implementation fails to bind those limits to a trustworthy client identity.
Requires boundary-protection mechanisms to validate or ignore untrusted proxy headers (X-Real-IP, X-Forwarded-For) before they influence security decisions such as rate-limit identity.
Mandates validation of information inputs; the forged headers that defeat the rate limiter are accepted without any check against the TrustProxy setting or actual connection source.