CVE-2026-44698
Published: 29 May 2026
Summary
CVE-2026-44698 is a high-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-33317
Vulnerability details
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app…
more
WebView window.externalApp on Android and webkit.messageHandlers.getExternalAuth (alongside revokeExternalAuth and externalBus) on iOS. Two flaws expose the bridge to all frames (including cross-origin iframes) and unsanitized interpolation of the JavaScript callback identifier allows a cross-origin iframe rendered inside the Companion app to execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin and exfiltrate the signed-in user's access token. This vulnerability is fixed in 2026.4.1 for iOS and 2026.4.4 for Android.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables theft of application access tokens via malicious cross-origin JS execution in the app WebView.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Enforces verification of the source of a communication channel by requiring identification and authentication of services first.
Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.
Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.
Mandates origin validation so that only legitimate endpoints can continue the authenticated session.
Explicitly prohibiting dangerous or unnecessary functions and services prevents exposure of methods that could be directly exploited.
Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.
Minimal functionality removes or avoids exposure of dangerous methods and functions.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.