Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-q855-8rh5-jfgq: ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path

0
Medium
Published: 07/07/2026 (07/07/2026, 23:41:21 UTC)
Source: GCVE Database
Product: ha-mcp

Description

In ha-mcp add-on mode for Home Assistant, certain settings and policy routes are accessible without authentication at the bare root path on port 9583 in versions prior to 7.10.0. This allows any client able to reach this port to read or modify add-on configurations, toggle feature flags, manage backups, restart the add-on, and alter approval policies if enabled, without requiring authentication. The vulnerability does not expose Home Assistant data, credentials, or allow code execution. The issue is fixed by restricting root path access to Home Assistant ingress only, with the fix included in versions 7.10.0 and later.

CVSS v3.1

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Affected software

PyPIghsa
ha-mcp
Affected versions
<7.10.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/08/2026, 13:40:27 UTC

Technical Analysis

The ha-mcp add-on for Home Assistant mounts its settings UI routes both under a secret path and at the bare root of the published port 9583 in add-on mode (host_network: true). The root-mounted routes lack authentication mechanisms such as secret tokens, Origin checks, or CSRF protection, allowing any client with network access to port 9583 to invoke sensitive API endpoints. Affected routes include tool visibility, feature flags, backup management, add-on restart, and approval policy APIs. This enables unauthorized reading and modification of add-on configuration and lifecycle controls. The vulnerability affects add-on versions prior to 7.10.0. The issue is resolved by restricting root path access to Home Assistant ingress only, which originates from the Supervisor IP, returning 403 to other callers. The fix is included in the next stable release 7.10.0 and is available on the dev channel.

Potential Impact

An unauthenticated attacker or any client able to reach port 9583 without the MCP secret can read and modify add-on tool configurations, toggle feature flags, manage backups (including restore and delete), restart the add-on, and modify approval policies if the Tool Security Policies feature is enabled. There is no impact on Home Assistant data, entities, credentials, or code execution. All changes affect only the add-on's configuration and lifecycle and are recoverable. The primary attack vector is local network access or remote access if the port is reverse-proxied without proper restrictions.

Mitigation Recommendations

A fix is available and included in ha-mcp add-on version 7.10.0 and later. The fix restricts root path access on port 9583 to Home Assistant ingress only, which originates from the Supervisor IP, returning HTTP 403 to unauthorized callers. Operators should upgrade to version 7.10.0 or later when available. The fix is also available on the development channel (7.6.0.dev393 or later) if immediate mitigation is desired. There is no need to switch channels solely for this fix as the risk surface is low and limited to add-on mode. Until patched, operators should ensure that port 9583 is not exposed without proper network controls or reverse proxy restrictions.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-q855-8rh5-jfgq
Osv Schema Version
1.4.0
Aliases
[]
Ecosystems
["PyPI"]
Database Specific Severity
MODERATE
Cvss Version
3.1

Threat ID: 6a4e4ee7c9d9e3dbe3289b4e

Added to database: 07/08/2026, 13:21:43 UTC

Last enriched: 07/08/2026, 13:40:27 UTC

Last updated: 07/08/2026, 17:16:53 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses