CVE-2026-55844: CWE-319: Cleartext Transmission of Sensitive Information in home-assistant core
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2025.5.0, The iOS companion app ignores the SSID allowlist for internal networks. The app uses SSID to detect when to use the internal URL, but whenever the app cannot find any other URL to be used, it fallbacks to the internal URL as well, which can expose user's token when connected to a not secure network. This vulnerability is fixed in 2025.5.0.
AI Analysis
Technical Summary
CVE-2026-55844 is a vulnerability in the Home Assistant core iOS companion app where, before version 2025.5.0, the app improperly handles SSID allowlisting for internal networks. The app uses the SSID to determine when to use an internal URL for communication. However, if no other URL is available, it falls back to the internal URL regardless of the network's security. This fallback behavior can lead to the user's authentication token being transmitted in cleartext over an insecure network. The vulnerability is addressed in Home Assistant version 2025.5.0.
Potential Impact
An attacker on an insecure network could intercept the user's authentication token transmitted in cleartext, potentially allowing unauthorized access to the user's Home Assistant instance. The vulnerability affects confidentiality but does not impact integrity or availability.
Mitigation Recommendations
This vulnerability is fixed in Home Assistant core version 2025.5.0. Users should upgrade to version 2025.5.0 or later to remediate this issue. No other mitigation actions are specified or required.
CVE-2026-55844: CWE-319: Cleartext Transmission of Sensitive Information in home-assistant core
Description
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2025.5.0, The iOS companion app ignores the SSID allowlist for internal networks. The app uses SSID to detect when to use the internal URL, but whenever the app cannot find any other URL to be used, it fallbacks to the internal URL as well, which can expose user's token when connected to a not secure network. This vulnerability is fixed in 2025.5.0.
CVSS v3.1
Score 7.5high
Affected software
pkg:github/home-assistant/coreRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-55844 is a vulnerability in the Home Assistant core iOS companion app where, before version 2025.5.0, the app improperly handles SSID allowlisting for internal networks. The app uses the SSID to determine when to use an internal URL for communication. However, if no other URL is available, it falls back to the internal URL regardless of the network's security. This fallback behavior can lead to the user's authentication token being transmitted in cleartext over an insecure network. The vulnerability is addressed in Home Assistant version 2025.5.0.
Potential Impact
An attacker on an insecure network could intercept the user's authentication token transmitted in cleartext, potentially allowing unauthorized access to the user's Home Assistant instance. The vulnerability affects confidentiality but does not impact integrity or availability.
Mitigation Recommendations
This vulnerability is fixed in Home Assistant core version 2025.5.0. Users should upgrade to version 2025.5.0 or later to remediate this issue. No other mitigation actions are specified or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-17T16:29:38.865Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a42868627e9c7971906ce0a
Added to database: 06/29/2026, 14:51:50 UTC
Last enriched: 06/29/2026, 15:08:16 UTC
Last updated: 06/29/2026, 21:03:19 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.