HarborGuard / CVE
Back to search
HIGHCVE-2026-44698Published Modified CNA GitHub_M

CVE-2026-44698: Home Assistant: Cross-origin iframe access token exfiltration via WebView JS bridge callback injection

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and webkit.messageHandlers.getExternalAuth (alongside revokeExternalAuth and externalBus) on iOS. Two flaws expose the bridge to all frames (including cross-origin iframes) and unsanitized interpolation of the JavaScript callback identifier allows a cross-origin iframe rendered inside the Companion app to execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin and exfiltrate the signed-in user's access token. This vulnerability is fixed in 2026.4.1 for iOS and 2026.4.4 for Android.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a cross-origin JavaScript bridge injection flaw in the Home Assistant Companion apps for iOS and Android. The bridge is reachable over the network when a user is lured into loading a malicious page inside the in-app WebView, and because the bridge is exposed to all frames and interpolates a callback identifier without sanitization, a cross-origin iframe can execute arbitrary JavaScript in the Home Assistant frontend origin and steal the signed-in user's access token. A patched-image rebuild at Companion 2026.4.1 (iOS) / 2026.4.4 (Android) and Home Assistant core 2026.4.4 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-44698 is ingested from upstream feeds within minutes of GitHub's advisory publication and matched against Home Assistant core and Companion app artifacts in customer registries and build pipelines. Matching covers custom-built images that bundle or derive from the affected versions.

Available
Triage

Triage is available with the published CVSS 3.1 score of 8.3 (High) weighted against each customer org's compliance policy, so environments that classify mobile-paired or token-bearing services as elevated risk see the finding scored accordingly. Findings route to the inbox configured for the owning team inside each customer org.

Available
Patch

Patched-image rebuilds at Home Assistant core 2026.4.4 (and Companion 2026.4.1 iOS / 2026.4.4 Android where applicable) are available on HarborGuard for affected environments. Customers with auto-remediation enabled get a rebuilt image, a regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must get the victim's Companion app WebView to load attacker-controlled content over the network, typically via a malicious page or embedded iframe.

  • AuthenticationNot required

    PR:N: the attacker needs no account on the target Home Assistant instance to trigger the bridge.

  • Victim interactionRequired

    UI:R: a signed-in user must open or be navigated to attacker-controlled content inside the Companion app's in-app WebView.

  • Attack complexityDetail

    AC:H: exploitation depends on getting a cross-origin iframe rendered inside the Companion WebView while the user is authenticated, which requires some setup beyond a single click.

Blast Radius

  • Reads the signed-in user's Home Assistant access token from the frontend origin, granting full API access as that user.
  • Executes arbitrary JavaScript in the Home Assistant frontend's main-frame origin, enabling tampering with the UI and issuing authenticated backend calls.
  • With a stolen token, an attacker can control connected devices, modify automations, and disrupt availability of the Home Assistant deployment.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at Home Assistant core 2026.4.4 (paired with Companion 2026.4.1 for iOS and 2026.4.4 for Android) is staged for affected environments. For customers who opt into auto-remediation, the rebuild runs through regression tests and a PR is opened against affected workloads automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Environments that cannot upgrade Companion clients immediately should treat the mobile app surface as the primary risk and restrict which external URLs the Home Assistant frontend can embed until the client update propagates.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
Affected Products
3
Affected packages
  • home-assistant / core
    < 2026.4.4
  • Home Assistant / Companion app (iOS)
    < 2026.4.1
  • Home Assistant / Companion app (Android)
    < 2026.4.4
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References