CVE-2026-32112 is a cross-site scripting (XSS) vulnerability classified under CWE-79 found in the ha-mcp component of the Home Assistant MCP Server. The flaw exists in versions prior to 7.0.0 within the OAuth consent form implementation used in the beta OAuth mode (ha-mcp-oauth). Specifically, the server renders user-supplied parameters directly into the HTML page using Python f-strings without any HTML escaping or sanitization. This improper neutralization of input allows an attacker who can access the OAuth endpoint to craft a malicious authorization URL containing JavaScript payloads. If the server operator, who is the intended user of the OAuth consent form, follows this crafted URL, the malicious script executes in their browser context. This can lead to theft of sensitive information such as OAuth tokens or session cookies, compromising confidentiality and integrity. The vulnerability requires no authentication but does require user interaction (clicking the malicious link). The attack surface is limited to deployments that have explicitly enabled the beta OAuth mode, which is not part of the standard Home Assistant MCP Server setup. The CVSS 3.1 base score is 6.8, reflecting network attack vector, high complexity, no privileges required, user interaction required, and high impact on confidentiality and integrity. There are no known exploits in the wild at the time of publication. The issue is resolved in version 7.0.0 by implementing proper HTML escaping of user input before rendering. This vulnerability highlights the risks of rendering untrusted input directly in web pages without sanitization, especially in security-sensitive components like OAuth consent forms.

The primary impact of this vulnerability is the potential compromise of confidentiality and integrity for organizations using the ha-mcp component in beta OAuth mode. An attacker exploiting this XSS flaw can execute arbitrary JavaScript in the browser of the server operator, potentially stealing OAuth tokens, session cookies, or performing actions on behalf of the operator. This could lead to unauthorized access to sensitive systems or data controlled via Home Assistant integrations. Although availability is not affected, the breach of credentials or session information can have cascading effects on the security posture of smart home or IoT environments managed by Home Assistant. Since the vulnerability requires user interaction and affects a non-default beta feature, the scope is limited but still significant for organizations relying on this mode. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed. Organizations that do not upgrade risk targeted phishing or social engineering attacks aimed at their operators. The impact is heightened in environments where Home Assistant is integrated with critical infrastructure or sensitive personal data.

1. Upgrade ha-mcp to version 7.0.0 or later immediately to apply the fix that properly escapes user input in the OAuth consent form. 2. Disable the beta OAuth mode (ha-mcp-oauth) if it is not strictly required, as this feature is not part of the standard setup and increases attack surface. 3. Educate server operators and administrators to be cautious of unsolicited or suspicious OAuth authorization URLs, especially those received via email or messaging. 4. Implement network-level protections such as web filtering or URL inspection to block known malicious or suspicious OAuth endpoints. 5. Monitor logs for unusual OAuth authorization requests or patterns that may indicate attempted exploitation. 6. Consider deploying Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the OAuth consent page context. 7. Conduct regular security reviews of custom or beta features before enabling them in production environments. 8. Use multi-factor authentication and session management best practices to limit the impact of stolen tokens or cookies. These steps go beyond generic advice by focusing on the specific beta feature, operator behavior, and layered defenses.