CVE-2026-27981 is a vulnerability classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts) affecting sysadminsmedia's HomeBox software prior to version 0.24.0. HomeBox implements an authentication rate limiter (authRateLimiter) designed to track failed login attempts per client IP to prevent brute-force attacks. The mechanism determines the client IP by unconditionally reading the X-Real-IP header, the first entry in the X-Forwarded-For header, and finally the TCP connection address (r.RemoteAddr). However, these headers can be easily forged by an attacker connecting directly to the HomeBox server. The TrustProxy option, which should control whether proxy headers are trusted, is set to false by default but is never actually checked or enforced by the rate limiter or any middleware. Moreover, the chi middleware RealIP is applied unconditionally in main.go, which overwrites r.RemoteAddr with the potentially forged header value before any handler processes the request. This means an attacker can supply arbitrary IP addresses in headers, effectively resetting their rate limit identity on every request and bypassing the rate limiting protections. This vulnerability allows an unauthenticated attacker to perform unlimited brute-force authentication attempts, potentially compromising user credentials and system integrity. The vulnerability was fixed in version 0.24.0 by correcting the handling of proxy headers and enforcing the TrustProxy configuration. The CVSS 3.1 score is 7.4, reflecting network attack vector, high impact on confidentiality and integrity, no privileges required, no user interaction, and high attack complexity.

The primary impact of this vulnerability is that attackers can bypass authentication rate limiting by forging client IP headers, enabling unlimited brute-force login attempts against HomeBox instances. This can lead to credential compromise, unauthorized access, and potential data breaches affecting user confidentiality and system integrity. Since HomeBox is a home inventory and organization system, compromised accounts could expose sensitive personal or household data. The vulnerability does not directly affect availability but undermines authentication controls, increasing the risk of account takeover. Organizations running vulnerable versions face elevated risk of automated attacks and credential stuffing campaigns. The lack of proper proxy header validation also indicates potential misconfigurations in deployment environments, which could be exploited further. Although no known exploits are reported in the wild yet, the ease of exploitation and high impact warrant urgent remediation to prevent future attacks.

To mitigate this vulnerability, organizations should immediately upgrade HomeBox to version 0.24.0 or later, where the issue is fixed. If upgrading is not immediately possible, administrators should disable or restrict access to the HomeBox service from untrusted networks to limit exposure. Review and correctly configure the TrustProxy option to ensure that only trusted proxy headers are accepted and processed. Implement additional network-level protections such as Web Application Firewalls (WAFs) or rate limiting at the perimeter to detect and block suspicious authentication attempts. Monitor authentication logs for unusual patterns indicative of brute-force attacks. Consider deploying multi-factor authentication (MFA) to reduce the risk of compromised credentials leading to unauthorized access. Finally, audit all middleware and proxy configurations to ensure that client IP addresses used for security controls are reliably sourced and validated.