GHSA-q855-8rh5-jfgq: ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path
In ha-mcp add-on mode for Home Assistant, certain settings and policy routes are accessible without authentication at the bare root path on port 9583 in versions prior to 7.10.0. This allows any client able to reach this port to read or modify add-on configurations, toggle feature flags, manage backups, restart the add-on, and alter approval policies if enabled, without requiring authentication. The vulnerability does not expose Home Assistant data, credentials, or allow code execution. The issue is fixed by restricting root path access to Home Assistant ingress only, with the fix included in versions 7.10.0 and later.
AI Analysis
Technical Summary
The ha-mcp add-on for Home Assistant mounts its settings UI routes both under a secret path and at the bare root of the published port 9583 in add-on mode (host_network: true). The root-mounted routes lack authentication mechanisms such as secret tokens, Origin checks, or CSRF protection, allowing any client with network access to port 9583 to invoke sensitive API endpoints. Affected routes include tool visibility, feature flags, backup management, add-on restart, and approval policy APIs. This enables unauthorized reading and modification of add-on configuration and lifecycle controls. The vulnerability affects add-on versions prior to 7.10.0. The issue is resolved by restricting root path access to Home Assistant ingress only, which originates from the Supervisor IP, returning 403 to other callers. The fix is included in the next stable release 7.10.0 and is available on the dev channel.
Potential Impact
An unauthenticated attacker or any client able to reach port 9583 without the MCP secret can read and modify add-on tool configurations, toggle feature flags, manage backups (including restore and delete), restart the add-on, and modify approval policies if the Tool Security Policies feature is enabled. There is no impact on Home Assistant data, entities, credentials, or code execution. All changes affect only the add-on's configuration and lifecycle and are recoverable. The primary attack vector is local network access or remote access if the port is reverse-proxied without proper restrictions.
Mitigation Recommendations
A fix is available and included in ha-mcp add-on version 7.10.0 and later. The fix restricts root path access on port 9583 to Home Assistant ingress only, which originates from the Supervisor IP, returning HTTP 403 to unauthorized callers. Operators should upgrade to version 7.10.0 or later when available. The fix is also available on the development channel (7.6.0.dev393 or later) if immediate mitigation is desired. There is no need to switch channels solely for this fix as the risk surface is low and limited to add-on mode. Until patched, operators should ensure that port 9583 is not exposed without proper network controls or reverse proxy restrictions.
GHSA-q855-8rh5-jfgq: ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path
Description
In ha-mcp add-on mode for Home Assistant, certain settings and policy routes are accessible without authentication at the bare root path on port 9583 in versions prior to 7.10.0. This allows any client able to reach this port to read or modify add-on configurations, toggle feature flags, manage backups, restart the add-on, and alter approval policies if enabled, without requiring authentication. The vulnerability does not expose Home Assistant data, credentials, or allow code execution. The issue is fixed by restricting root path access to Home Assistant ingress only, with the fix included in versions 7.10.0 and later.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The ha-mcp add-on for Home Assistant mounts its settings UI routes both under a secret path and at the bare root of the published port 9583 in add-on mode (host_network: true). The root-mounted routes lack authentication mechanisms such as secret tokens, Origin checks, or CSRF protection, allowing any client with network access to port 9583 to invoke sensitive API endpoints. Affected routes include tool visibility, feature flags, backup management, add-on restart, and approval policy APIs. This enables unauthorized reading and modification of add-on configuration and lifecycle controls. The vulnerability affects add-on versions prior to 7.10.0. The issue is resolved by restricting root path access to Home Assistant ingress only, which originates from the Supervisor IP, returning 403 to other callers. The fix is included in the next stable release 7.10.0 and is available on the dev channel.
Potential Impact
An unauthenticated attacker or any client able to reach port 9583 without the MCP secret can read and modify add-on tool configurations, toggle feature flags, manage backups (including restore and delete), restart the add-on, and modify approval policies if the Tool Security Policies feature is enabled. There is no impact on Home Assistant data, entities, credentials, or code execution. All changes affect only the add-on's configuration and lifecycle and are recoverable. The primary attack vector is local network access or remote access if the port is reverse-proxied without proper restrictions.
Mitigation Recommendations
A fix is available and included in ha-mcp add-on version 7.10.0 and later. The fix restricts root path access on port 9583 to Home Assistant ingress only, which originates from the Supervisor IP, returning HTTP 403 to unauthorized callers. Operators should upgrade to version 7.10.0 or later when available. The fix is also available on the development channel (7.6.0.dev393 or later) if immediate mitigation is desired. There is no need to switch channels solely for this fix as the risk surface is low and limited to add-on mode. Until patched, operators should ensure that port 9583 is not exposed without proper network controls or reverse proxy restrictions.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-q855-8rh5-jfgq
- Osv Schema Version
- 1.4.0
- Aliases
- []
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a4e4ee7c9d9e3dbe3289b4e
Added to database: 07/08/2026, 13:21:43 UTC
Last enriched: 07/08/2026, 13:40:27 UTC
Last updated: 07/08/2026, 17:16:53 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.