CVE-2026-34205
Published: 27 March 2026
Summary
CVE-2026-34205 is a critical-severity Improper Restriction of Communication Channel to Intended Endpoints (CWE-923) vulnerability. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Monitors and controls communications at the system boundary to block unauthorized access from adjacent local network devices to exposed Docker bridge endpoints.
Enforces approved information flows between connected systems, preventing exposure of internal Docker interfaces to unintended local network endpoints.
Identifies, reports, and corrects flaws like the improper network binding in Home Assistant Supervisor through timely patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly exposes internal unauthenticated endpoints to the adjacent network due to improper access restrictions (CWE-923), enabling an attacker to exploit the Home Assistant application for initial access with high impact.
NVD Description
Home Assistant is open source home automation software that puts local control and privacy first. Home Assistant apps (formerly add-ons) configured with host network mode expose unauthenticated endpoints bound to the internal Docker bridge interface to the local network. On…
more
Linux, this configuration does not restrict access to the app as intended, allowing any device on the same network to reach these endpoints without authentication. Home Assistant Supervisor 2026.03.02 addresses the issue.
Deeper analysisAI
CVE-2026-34205 is a vulnerability in Home Assistant, open source home automation software emphasizing local control and privacy. It affects Home Assistant apps (formerly add-ons) configured with host network mode on Linux systems, where unauthenticated endpoints bound to the internal Docker bridge interface are exposed to the local network. This exposure occurs because the configuration fails to restrict access as intended, enabling any device on the same network to reach these endpoints without authentication. The issue, classified under CWE-923, carries a CVSS v3.1 base score of 9.6 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-03-27.
An attacker on the adjacent local network can exploit this vulnerability with low attack complexity, requiring no privileges or user interaction. Exploitation allows unauthorized access to the exposed endpoints, potentially resulting in high impacts to confidentiality, integrity, and availability, with a changed scope that could extend compromise beyond the vulnerable component.
Home Assistant Supervisor 2026.03.02 addresses the vulnerability. Additional mitigation details are available in the security advisory at https://github.com/home-assistant/core/security/advisories/GHSA-gh5m-4m97-c95h.
Details
- CWE(s)