CVE-2026-32112 is a medium-severity cross-site scripting (XSS) vulnerability affecting the ha-mcp component of the Home Assistant MCP Server before version 7.0.0. The vulnerability stems from improper neutralization of user input during web page generation, specifically in the OAuth consent form. The ha-mcp OAuth consent form uses Python f-strings to render user-controlled parameters without applying HTML escaping or sanitization, violating CWE-79. This allows an attacker who can reach the OAuth endpoint to craft a malicious authorization URL that, when visited by a server operator, executes arbitrary JavaScript in their browser context. The attack vector requires the server to be running the beta OAuth mode (ha-mcp-oauth), which is not part of the standard Home Assistant setup and requires explicit configuration, limiting the attack surface. The vulnerability impacts confidentiality and integrity by enabling theft of sensitive information or manipulation of the operator’s session. The CVSS 3.1 base score is 6.8, reflecting network attack vector, high attack complexity, no privileges required, user interaction required, unchanged scope, and high impact on confidentiality and integrity but no impact on availability. No known exploits are reported in the wild. The issue is resolved in ha-mcp version 7.0.0 by implementing proper HTML escaping or sanitization of user input in the OAuth consent form. This vulnerability highlights the risks of rendering user input directly in web pages without proper encoding, especially in security-sensitive OAuth flows.

The primary impact of CVE-2026-32112 is the potential compromise of confidentiality and integrity for organizations running the ha-mcp component with beta OAuth mode enabled. Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of the server operator, potentially leading to theft of authentication tokens, session hijacking, or unauthorized actions performed with the operator’s privileges. While availability is not affected, the breach of operator credentials or session data can lead to further compromise of the Home Assistant environment or connected systems. Since the vulnerability requires user interaction and access to the OAuth endpoint, the attack surface is limited but still significant for organizations using this beta feature. The impact is particularly critical in environments where Home Assistant controls sensitive IoT devices or automation workflows, as attackers could leverage stolen credentials or session data to manipulate device behavior or exfiltrate data. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed. Organizations ignoring this vulnerability risk targeted phishing or social engineering attacks against operators to trigger the exploit.

To mitigate CVE-2026-32112, organizations should upgrade ha-mcp to version 7.0.0 or later, where the vulnerability is fixed by proper HTML escaping of user input in the OAuth consent form. Until upgrading is possible, organizations should disable the beta OAuth mode (ha-mcp-oauth) if it is not strictly required, as this mode is the only affected configuration. Restrict network access to the OAuth endpoint to trusted internal users only, minimizing exposure to external attackers. Implement strict URL filtering and monitoring to detect and block suspicious authorization URLs that could be used in phishing attempts. Educate server operators about the risks of clicking on unsolicited or suspicious authorization links, emphasizing the need for caution with URLs received via email or messaging. Review and harden the Home Assistant environment’s overall security posture, including multi-factor authentication for operator accounts and regular auditing of OAuth configurations. Employ Content Security Policy (CSP) headers where possible to reduce the impact of XSS attacks by restricting script execution sources. Finally, monitor security advisories from Home Assistant and related projects for updates or additional patches.