CVE-2026-40196
Published: 17 April 2026
Summary
CVE-2026-40196 is a high-severity Incorrect Ownership Assignment (CWE-708) vulnerability in Sysadminsmedia Homebox. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations, directly addressing the API's failure to validate and enforce revocation of the persisted defaultGroup ID when the X-Tenant header is omitted.
AC-2 mandates proper account management including updating or revoking group memberships upon access revocation, preventing the permanent assignment of the defaultGroup ID post-invitation rescission.
AC-6 enforces least privilege by ensuring users only access authorized groups, mitigating the elevated privileges granted by the unrevoked defaultGroup ID in API calls.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote access control bypass in the API of a web-based application (HomeBox), directly enabling exploitation of public-facing applications to perform unauthorized CRUD operations on group resources.
NVD Description
HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked.…
more
While the web interface correctly enforced the access revocation and prevented the user from viewing or modifying the group's contents, the API did not. Because the original group ID persisted as the user's defaultGroup, and this value was not properly validated when the X-Tenant header was omitted, the user could still perform full CRUD operations on the group's collections through the API, bypassing the intended access controls. This issue has been fixed in version 0.25.0.
Deeper analysisAI
CVE-2026-40196 is an access control bypass vulnerability (CWE-708) in HomeBox, an open-source home inventory and organization system. Versions prior to 0.25.0 fail to properly revoke a user's defaultGroup ID after their invitation to a group is rescinded. Although the web interface correctly blocks access to the group's contents post-revocation, the API does not validate the persisted defaultGroup ID when the X-Tenant header is absent from requests, enabling unauthorized operations on group resources. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
A low-privileged authenticated user (PR:L) who was previously invited to a group can exploit this issue remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). By omitting the X-Tenant header in API calls, the attacker leverages their unchanged defaultGroup ID to perform full CRUD (create, read, update, delete) operations on the group's collections, bypassing revocation controls. This results in high impacts to confidentiality and integrity, allowing data exfiltration, modification, or injection without affecting availability.
The vulnerability is fixed in HomeBox version 0.25.0. Security practitioners should upgrade to this version immediately. Additional details are available in the release notes at https://github.com/sysadminsmedia/homebox/releases/tag/v0.25.0 and the GitHub security advisory at https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-6pvm-v73p-p6m9.
Details
- CWE(s)