CVE-2026-27181 is a critical authorization bypass vulnerability affecting MajorDoMo, an open-source home automation platform developed by sergejey. The vulnerability exists in the market module's admin() method, which reads the 'mode' parameter from HTTP requests ($_REQUEST['mode']) and assigns it to an internal variable without verifying the user's authentication or authorization status. This flaw allows unauthenticated users to access all mode-gated code paths, including the uninstall functionality. Specifically, when the 'mode' parameter is set to 'uninstall', the uninstallPlugin() method is invoked. This method performs several destructive actions: it deletes module records from the database, executes the module's uninstall() method via eval(), recursively deletes the module's directory and template files using removeTree(), and removes associated cycle scripts. Because the endpoint is accessible via unauthenticated GET requests to /objects/?module=market, an attacker can iterate over module names and systematically uninstall modules, effectively wiping the entire MajorDoMo installation. The vulnerability requires no privileges, no user interaction, and can be exploited remotely over the network. The CVSS 4.0 base score is 8.7, reflecting high impact on availability and integrity with low attack complexity and no authentication required. No known exploits in the wild have been reported yet, but the potential damage is severe. The affected version is listed as '0', indicating early or all versions prior to patching are vulnerable. No official patch links are currently available, emphasizing the need for immediate attention from users and vendors.

The impact of CVE-2026-27181 is significant for organizations using MajorDoMo for home or building automation. Successful exploitation results in complete loss of installed modules, which can disrupt automation workflows, disable critical smart home functions, and cause operational downtime. The integrity of the system is compromised as attackers can delete database records and execute arbitrary uninstall scripts. Availability is severely affected since the entire MajorDoMo installation can be wiped remotely without any authentication. This can lead to costly recovery efforts, loss of data, and potential safety risks if automation controls are disabled unexpectedly. For enterprises or service providers managing multiple MajorDoMo instances, the risk multiplies as attackers could automate attacks to cause widespread disruption. Although no known exploits are reported in the wild yet, the ease of exploitation and high impact make this vulnerability a prime target for attackers. The lack of authentication and user interaction requirements broadens the attack surface, increasing the likelihood of exploitation in exposed environments.

To mitigate CVE-2026-27181, organizations should immediately restrict network access to the /objects/?module=market endpoint, ideally limiting it to trusted internal networks or VPNs. Implementing web application firewalls (WAFs) with custom rules to block unauthenticated requests containing the 'mode=uninstall' parameter can provide a temporary protective measure. Users should monitor logs for suspicious GET requests targeting the market module and the uninstall mode. Until an official patch is released, consider disabling the market module if feasible or applying code-level fixes to enforce strict authentication and authorization checks before processing the 'mode' parameter. Developers should refactor the admin() method to validate user credentials and permissions before allowing any mode-gated operations, especially destructive ones like uninstall. Regular backups of MajorDoMo configurations and modules are critical to enable recovery in case of successful exploitation. Finally, stay alert for vendor advisories and apply patches promptly once available to fully remediate the vulnerability.