CVE-2026-54317
Published: 23 June 2026
Summary
CVE-2026-54317 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, ranked at the 8.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
No EU or UK CSIRT advisories indexed for this CVE.
Vulnerability details
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant/components/konnected/__init__.py), that is marked as not requiring authentication (requires_auth = False). A comment next…
more
to that line says auth is instead handled "via the access token from configuration." That promise is only half true. Write requests (POST and PUT) are handled by update_sensor(), which does check the request's Authorization: Bearer <token> header against the integration's stored access tokens (using hmac.compare_digest). Read requests (GET) are handled by a separate get() method that has no authentication check at all. This vulnerability is fixed in 2026.6.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Privacy and security architectures require controls to protect sensitive information from unauthorized exposure across the system lifecycle.
Inventory identifies all systems holding or processing data, enabling detection of unauthorized exposure paths before exploitation.
Protection planning for critical infrastructure directly calls for authentication of access to essential functions before any operation is permitted.
Risk assessments evaluate exposure of critical functions lacking authentication and prioritize corrective controls.
Requires authentication gates on critical functions that must remain unavailable to anonymous public users.
Treats remote activation of surveillance-capable devices as a critical function that must be disabled or authenticated.
Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.