Cyber Resilience

CVE-2026-44698

HighRCEUpdated

Published: 29 May 2026

Published
29 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0014 3.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-44698 is a high-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app…

more

WebView window.externalApp on Android and webkit.messageHandlers.getExternalAuth (alongside revokeExternalAuth and externalBus) on iOS. Two flaws expose the bridge to all frames (including cross-origin iframes) and unsanitized interpolation of the JavaScript callback identifier allows a cross-origin iframe rendered inside the Companion app to execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin and exfiltrate the signed-in user's access token. This vulnerability is fixed in 2026.4.1 for iOS and 2026.4.4 for Android.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

Directly enables theft of application access tokens via malicious cross-origin JS execution in the app WebView.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-940 CWE-346

Enforces verification of the source of a communication channel by requiring identification and authentication of services first.

addresses: CWE-346 CWE-940

Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.

addresses: CWE-346 CWE-940

Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.

addresses: CWE-346 CWE-940

Mandates origin validation so that only legitimate endpoints can continue the authenticated session.

addresses: CWE-749

Explicitly prohibiting dangerous or unnecessary functions and services prevents exposure of methods that could be directly exploited.

addresses: CWE-346

Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.

addresses: CWE-749

Minimal functionality removes or avoids exposure of dangerous methods and functions.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

References