CVE-2023-27482

CRITICAL
Published Mar 8, 20233y ago · Modified Jun 17, 20262w ago
10.0 CVSS 3.1
Critical
Find Similar
Published Mar 8, 2023 3y ago
Last Modified Jun 17, 2026 2w ago

Description

homeassistant is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through Home Assistant has been discovered. This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older. Installation types, like Home Assistant Container (for example Docker), or Home Assistant Core manually in a Python environment, are not affected. The issue has been mitigated and closed in Supervisor version 2023.03.1, which has been rolled out to all affected installations via the auto-update feature of the Supervisor. This rollout has been completed at the time of publication of this advisory. Home Assistant Core 2023.3.0 included mitigation for this vulnerability. Upgrading to at least that version is thus advised. In case one is not able to upgrade the Home Assistant Supervisor or the Home Assistant Core application at this time, it is advised to not expose your Home Assistant instance to the internet.

CVSS Details

Base Score
10.0
Exploitability
3.9
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-287 Improper Authentication Authentication

Affected Products 2

VendorProductVersionRange
home-assistanthome-assistant* <2023.3.0
home-assistantsupervisor* <2023.03.1

References 4

  • github.com https://github.com/elttam/publications/blob/master/writeups/home-assistant/supervisor-authentication-bypass-advisory.md
  • github.com https://github.com/home-assistant/core/security/advisories/GHSA-2j8f-h4mr-qr25
    Vendor Advisory
  • elttam.com https://www.elttam.com/blog/pwnassistant/
  • home-assistant.io https://www.home-assistant.io/blog/2023/03/08/supervisor-security-disclosure/
    Issue TrackingVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.