Homarr is an open-source dashboard platform used to manage and display integrations with various services. Prior to version 1.54.0, the integration.all tRPC endpoint was incorrectly configured as a publicProcedure, meaning it was accessible without any authentication or authorization checks. This endpoint returns a comprehensive list of all configured integrations within the Homarr instance, including sensitive metadata such as internal service URLs, integration names, and service types. This exposure constitutes a CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-862 (Missing Authorization) vulnerability. An attacker can exploit this flaw remotely without any user interaction or credentials, simply by querying the endpoint. The disclosed information could facilitate further attacks by revealing internal network architecture, service endpoints, and integration details, which are typically intended to be confidential. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity), reflecting the ease of exploitation and limited impact confined to confidentiality loss. The issue was publicly disclosed on March 7, 2026, and fixed in Homarr version 1.54.0. No known exploits have been reported in the wild as of now.

The primary impact of this vulnerability is unauthorized disclosure of sensitive configuration data, which can compromise the confidentiality of internal network details and service integrations. Attackers gaining this information can perform targeted reconnaissance, increasing the risk of subsequent attacks such as lateral movement, privilege escalation, or exploitation of other vulnerabilities in exposed services. While the vulnerability does not directly affect integrity or availability, the exposure of internal URLs and integration metadata can significantly aid attackers in crafting more effective attacks. Organizations relying on Homarr dashboards for managing critical infrastructure or sensitive services may face increased risk of targeted cyberattacks, data breaches, or operational disruptions if this vulnerability is exploited. The risk is particularly relevant for enterprises with complex internal service ecosystems and those that expose Homarr dashboards to untrusted networks or the internet.

To mitigate this vulnerability, organizations should upgrade Homarr to version 1.54.0 or later, where the integration.all endpoint is properly secured. Until the upgrade can be applied, administrators should restrict access to the Homarr dashboard and its endpoints using network-level controls such as firewalls, VPNs, or IP whitelisting to prevent unauthorized external access. Additionally, implementing authentication and authorization mechanisms around the tRPC endpoints can reduce exposure. Monitoring access logs for unusual or unauthorized requests to the integration.all endpoint can help detect exploitation attempts. It is also advisable to review and minimize the amount of sensitive information exposed through integrations and to follow the principle of least privilege in dashboard configurations. Regular vulnerability scanning and patch management processes should be enforced to promptly address similar issues in the future.