CVE-2026-32111 is a medium-severity SSRF vulnerability affecting ha-mcp, a server component of homeassistant-ai, in versions before 7.0.0. The vulnerability exists in the OAuth consent form beta feature, which accepts a user-supplied ha_url parameter and performs an HTTP GET request to the endpoint {ha_url}/api/config without any URL validation or sanitization. This lack of validation enables unauthenticated attackers to craft requests that cause the server to make arbitrary HTTP requests to internal or external network resources. The SSRF can be leveraged to perform internal network reconnaissance by observing error responses or timing differences (error oracle). Additionally, two other OAuth tool code paths involving REST and WebSocket calls share the same SSRF primitive, expanding the attack surface. However, the primary deployment method that uses a private URL with a pre-configured HOMEASSISTANT_TOKEN is not affected, limiting exposure in some configurations. The vulnerability does not allow direct data exfiltration or code execution but can be a stepping stone for further attacks, such as internal network mapping or accessing internal services not exposed externally. The issue was publicly disclosed on March 11, 2026, with no known active exploitation reported. The vulnerability was addressed and fixed in ha-mcp version 7.0.0 by implementing proper URL validation and restricting SSRF vectors.

The primary impact of CVE-2026-32111 is unauthorized internal network reconnaissance through SSRF, which can reveal sensitive infrastructure details to attackers. Organizations using vulnerable versions of ha-mcp in homeassistant-ai may have their internal network topology exposed, potentially allowing attackers to identify internal services, ports, or misconfigurations that are not otherwise accessible externally. This can facilitate subsequent attacks such as lateral movement, privilege escalation, or exploitation of other internal vulnerabilities. Since the vulnerability is unauthenticated and requires no user interaction, it can be exploited remotely by any attacker with network access to the vulnerable service. Although the vulnerability does not directly compromise confidentiality, integrity, or availability of the ha-mcp server itself, the indirect exposure of internal network information can significantly increase the risk profile of affected organizations. The impact is especially critical in environments where homeassistant-ai is deployed in sensitive or segmented networks, such as smart building management, industrial IoT, or enterprise automation systems. The absence of known exploits in the wild currently limits immediate risk, but the medium CVSS score and ease of exploitation warrant prompt remediation.

To mitigate CVE-2026-32111, organizations should upgrade ha-mcp to version 7.0.0 or later, where the vulnerability is fixed. If immediate upgrade is not feasible, administrators should disable the OAuth consent form beta feature that accepts user-supplied ha_url parameters to prevent SSRF exploitation. Network-level controls such as firewall rules or web application firewalls (WAF) can be configured to restrict outbound HTTP requests from the ha-mcp server to only trusted internal or external endpoints, thereby limiting SSRF impact. Additionally, monitoring and logging HTTP requests initiated by ha-mcp can help detect suspicious SSRF attempts. Implementing strict input validation and URL whitelisting on any user-supplied URLs within the application is critical to prevent SSRF. Finally, segregating the ha-mcp server in a network segment with limited access to sensitive internal resources reduces the risk of internal network reconnaissance.