CVE-2026-27600 is a medium-severity Server-Side Request Forgery (SSRF) vulnerability identified in the HomeBox home inventory and organization system developed by sysadminsmedia. The issue exists in versions prior to 0.24.0-rc.1 within the notifier functionality, which allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. Critically, the application performs no validation or restrictions on the host, IP address, or port supplied by the user. Although the response body from the target service is not returned to the user, the application's user interface behavior changes based on the network state of the destination URL. This behavioral side-channel can be exploited to enumerate internal services and network topology, potentially exposing sensitive internal infrastructure details. The vulnerability requires an attacker to have valid authentication credentials but does not require additional user interaction. The CVSS v3.1 base score is 5.0, reflecting network attack vector, low attack complexity, required privileges, no user interaction, and limited confidentiality impact without integrity or availability effects. The vulnerability was reserved on February 20, 2026, and published on March 3, 2026. No known exploits have been reported in the wild. The issue is resolved in HomeBox version 0.24.0-rc.1 by implementing proper validation and restrictions on the URLs accepted by the notifier functionality.

The primary impact of CVE-2026-27600 is the potential for internal network reconnaissance by authenticated attackers. By exploiting the SSRF vulnerability, attackers can probe internal services that are otherwise inaccessible externally, gaining insights into internal IP addresses, open ports, and service availability. This information can be leveraged to plan further attacks such as lateral movement, privilege escalation, or exploitation of internal-only services. Although the vulnerability does not directly allow data exfiltration or service disruption, the exposure of internal network topology can significantly increase the attack surface and risk profile of affected organizations. Since the vulnerability requires authentication, the risk is limited to users with valid credentials, but insider threats or compromised accounts could exploit it. Organizations relying on HomeBox for home inventory management, especially those integrating it into broader network environments, may inadvertently expose internal infrastructure details. The lack of known exploits in the wild suggests limited active exploitation currently, but the vulnerability's presence in a network-facing application warrants prompt remediation to prevent future attacks.

To mitigate CVE-2026-27600, organizations should immediately upgrade HomeBox to version 0.24.0-rc.1 or later, where the vulnerability is fixed. Until an upgrade is possible, restrict access to the notifier functionality to trusted users only, minimizing the number of authenticated users who can specify arbitrary URLs. Implement network segmentation and firewall rules to limit the HomeBox server's ability to initiate outbound HTTP requests to internal services, thereby reducing the impact of SSRF attempts. Monitor logs for unusual notifier usage patterns or unexpected HTTP POST requests to internal IP ranges. Employ multi-factor authentication to reduce the risk of credential compromise. Additionally, conduct regular audits of user privileges within HomeBox to ensure only necessary users have access to sensitive features. Finally, consider deploying web application firewalls (WAFs) that can detect and block SSRF patterns targeting internal resources.