The vulnerability CVE-2026-32111 affects the ha-mcp server component of homeassistant-ai, specifically versions before 7.0.0. The flaw is a Server-Side Request Forgery (SSRF) caused by insufficient validation of user-supplied URLs in the OAuth consent form beta feature. When a user submits a ha_url, the server makes an HTTP request to the path {ha_url}/api/config without verifying the legitimacy or safety of the URL. This allows an unauthenticated attacker to induce the server to send requests to arbitrary internal or external network locations, potentially exposing internal network structure or services through error messages or response timing (an error oracle). Additionally, two other OAuth-related code paths—REST and WebSocket calls—are vulnerable to the same SSRF primitive. However, the main deployment method, which uses a private URL with a pre-configured HOMEASSISTANT_TOKEN, is not affected by this vulnerability. The issue was publicly disclosed on March 11, 2026, and fixed in version 7.0.0 of ha-mcp. The CVSS 3.1 base score is 5.3, reflecting a medium severity rating, with no privileges or user interaction required for exploitation. No known active exploits have been reported to date.

This SSRF vulnerability can allow unauthenticated attackers to perform internal network reconnaissance by making the vulnerable server send crafted HTTP requests to arbitrary URLs, including internal IP addresses and services not normally accessible externally. This can lead to information disclosure about internal network topology, services, and potentially sensitive endpoints. While the vulnerability does not directly allow code execution or data modification, the reconnaissance information gained can be leveraged for further attacks such as lateral movement, exploitation of internal services, or pivoting within the network. Organizations using ha-mcp versions prior to 7.0.0 with the vulnerable OAuth consent form feature enabled are at risk. The impact is particularly significant for deployments exposing the OAuth consent form publicly without additional network segmentation or filtering. Since the primary deployment method with HOMEASSISTANT_TOKEN is not affected, the risk is somewhat mitigated for those configurations. Overall, the vulnerability poses a moderate risk of information leakage and internal network exposure.

Upgrade ha-mcp to version 7.0.0 or later, where the vulnerability is fixed by implementing proper URL validation and restricting SSRF vectors. If upgrading immediately is not possible, disable the OAuth consent form beta feature that accepts user-supplied ha_url parameters to prevent exploitation. Implement network-level protections such as firewall rules or access control lists to restrict outbound HTTP requests from the ha-mcp server to only trusted destinations, thereby limiting SSRF impact. Monitor logs for unusual outbound requests originating from the ha-mcp server that may indicate exploitation attempts. Employ web application firewalls (WAFs) with SSRF detection capabilities to block suspicious requests targeting the OAuth endpoints. Conduct internal network segmentation to isolate critical services and reduce the attack surface exposed via SSRF. Finally, review and restrict OAuth-related API endpoints to authenticated and authorized users where possible, even if the primary deployment method is not affected.