home-assistant.io

Home Assistant takes its security seriously. We will do everything in our power to ensure that our users are safe.

This page is intended to provide information about how to report security issues with us, and how they are handled. Additionally, it provides details about reported security issues we have [#past-advisories](handled in the past).

Reporting a vulnerability #reporting-a-vulnerability

So, you have found a security vulnerability in Home Assistant? Please, be sure to [https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure](responsibly disclose) it to us by [https://github.com/home-assistant/core/security/advisories/new](reporting a vulnerability using GitHub’s Security Advisory).

DO NOT MAKE A PUBLIC ISSUE FOR SECURITY VULNERABILITIES!

We are mostly interested in reports by actual Home Assistant users that are familiar with the platform, but all high quality contributions are welcome. Please do your best to describe a clear and realistic impact for your report.

For the sake of the security of our users, please 🙏 do not make vulnerabilities public without notifying us and giving us at least 90 days to release a fixed version. We will do our best to respond to your report within 7 days and also to keep you informed of the progress of our efforts to resolve the issue, but understand that Home Assistant, like many open source projects, is relying heavily on volunteers that aren’t full-time resources. We may not be able to respond as quickly as you would like due to other responsibilities.

If you are going to write about Home Assistant’s security, please [mailto:[email protected]](get in touch), so we can ensure that all claims are correct.

Non-qualifying vulnerabilities #non-qualifying-vulnerabilities

We will not accept reports of vulnerabilities of the following types:

• Reports from automated tools or scanners.

• Theoretical attacks without proof of exploitability.

• Attacks that are the result of a third-party application or library (these should instead be reported to the library maintainers).

• Social engineering.

• Attacks that require the user to have access to the Home Assistant host system.

• Attacks involving physical access to a user’s device, or involving a device or network that’s already seriously compromised (like, man-in-the-middle).

• Attacks that require the user to install a malicious other software, like a third-party integration, app (formerly known as add-ons), or plugin.

• Attacks that the user can only perform against their own setup.

• Privilege escalation attacks for logged in users. Home Assistant assumes every user is trusted and does not enforce user privileges. It assumes every logged in user has the same access as an owner account ([/docs/authentication/#user-accounts](more information)).

Supported versions #supported-versions

We only accept reports against the latest stable & official versions of Home Assistant or any versions beyond that are currently in development or beta test. The latest version can be found on our [https://github.com/home-assistant/core/releases](GitHub releases page).

We do not accept reports against forks of Home Assistant.

Severity scoring #severity-scoring

If you are familiar with https://www.first.org/cvss/v3.1/specification-document, please provide the vulnerability score in your report in the shape of a vector string. There’s a https://www.first.org/cvss/calculator/3.1 that can be helpful. If you are unsure how or unable to score a vulnerability, state that in your report, and we will look into it.

If you intend to provide a score, please familiarize yourself with CVSS first (we strongly recommend reading the https://www.first.org/cvss/v3.1/specification-document and [https://www.first.org/cvss/v3.1/user-guide#Scoring-Guide](Scoring Guide)), as we will not accept reports that use it incorrectly.

Public disclosure & CVE assignment #public-disclosure--cve-assignment

We will publish GitHub Security Advisories and through those, will also request CVEs, for valid vulnerabilities that meet the following criteria:

• The vulnerability is in Home Assistant itself, not a third-party library.

• The vulnerability is not already known to us.

• The vulnerability is not already known to the public.

• CVEs will only be requested for vulnerabilities with a severity of medium or higher.

Bounties #bounties

As an open source project, Home Assistant cannot offer bounties for security vulnerabilities. However, if so desired, we of course will credit the discoverer of a vulnerability.

Past advisories #past-advisories

The following is a list of past security advisories that have been published by the Home Assistant project.

2025-10-14: Stored XSS in graph tooltip from entity name

Severity: High (CVSS: 8.0)

Detailed information: [https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m](Security advisory)

Assigned CVE: [https://nvd.nist.gov/vuln/detail/CVE-2025-62172](CVE-2025-62172)

Discovered by: https://github.com/pwnpanda

Fixed in: Home Assistant Core 2025.10.2

2025-02-18: SSL validation for outgoing requests in core and used libs not correct

Severity: High (CVSS: 7.0)

Detailed information: [https://github.com/home-assistant/core/security/advisories/GHSA-m3pm-rpgg-5wj6](Security advisory)

Assigned CVE: [https://nvd.nist.gov/vuln/detail/CVE-2025-25305](CVE-2025-25305)

Discovered by: https://github.com/ReneNulschDE

Fixed in: Home Assistant Core 2024.1.6

2023-12-14: User accounts disclosed to unauthenticated actors on the LAN

Severity: Moderate (CVSS: 4.2)

Detailed information: [https://github.com/home-assistant/core/security/advisories/GHSA-jqpc-rc7g-vf83](Security advisory)

Assigned CVE: [https://nvd.nist.gov/vuln/detail/CVE-2023-50715](CVE-2023-50715)

Discovered by: https://github.com/r01k

Fixed in: Home Assistant Core 2023.12.3

2023-10-19: Actions expression injection in helpers/version/action.yml

Severity: Low (This is an internal project)

Detailed information: [https://github.com/home-assistant/core/security/advisories/GHSA-jff5-5j3g-vhqc](Security advisory)

Discovered by: [https://github.com/jorgectf](Jorge Rosillo), [https://github.com/p-](Peter Stöckli) ([https://securitylab.github.com/](GitHub Security Lab))

Fixed in: Home Assistant GitHub Actions released on September 5, 2023

2023-10-19: Arbitrary URL load in Android WebView in MyActivity.kt

Severity: High (CVSS: 8.6)

Detailed information: [https://github.com/home-assistant/core/security/advisories/GHSA-jvpm-q3hq-86rg](Security advisory)

Assigned CVE: [https://nvd.nist.gov/vuln/detail/CVE-2023-41898](CVE-2023-41898)

Discovered by: [https://github.com/atorralba](Tony Torralba) ([https://securitylab.github.com/](GitHub Security Lab))

Fixed in: Home Assistant for Android 2023.9.2

2023-10-19: Partial Server-Side Request Forgery in Core

Severity: Low

Detailed information: [https://github.com/home-assistant/core/security/advisories/GHSA-4r74-h49q-rr3h](Security advisory)

Assigned CVE: [https://nvd.nist.gov/vuln/detail/CVE-2023-41899](CVE-2023-41899)

Discovered by: [https://github.com/pwntester](Alvaro Muñoz) ([https://securitylab.github.com/](GitHub Security Lab))

Fixed in: Home Assistant Core 2023.9

2023-10-19: Client-Side Request Forgery in iOS/macOS native Apps

Severity: High (CVSS: 8.6)

Detailed information: [https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xpp](Security advisory)

Assigned CVE: [https://nvd.nist.gov/vuln/detail/CVE-2023-44385](CVE-2023-44385)

Discovered by: [https://github.com/pwntester](Alvaro Muñoz) ([https://securitylab.github.com/](GitHub Security Lab))

Fixed in: Home Assistant for iOS 2023.7

2023-10-19: Account takeover via auth_callback login

Severity: Low

Detailed information: [https://github.com/home-assistant/core/security/advisories/GHSA-qhhj-7hrc-gqj5](Security advisory)

Assigned CVE: [https://nvd.nist.gov/vuln/detail/CVE-2023-41893](CVE-2023-41893)

Discovered by: https://cure53.de/ (Funded by [https://www.nabucasa.com/](Nabu Casa))

Fixed in: Home Assistant Core 2023.9

2023-10-19: Full takeover via javascript URI in auth_callback login

Severity: Critical

Detailed information: [https://github.com/home-assistant/core/security/advisories/GHSA-jvxq-x42r-f7mv](Security advisory)

Assigned CVE: [https://nvd.nist.gov/vuln/detail/CVE-2023-41895](CVE-2023-41895)

Discovered by: https://cure53.de/ (Funded by [https://www.nabucasa.com/](Nabu Casa))

Fixed in: Home Assistant Core 2023.9

2023-10-19: Local-only webhooks externally accessible via SniTun

Severity: Low

Detailed information: [https://github.com/home-assistant/core/security/advisories/GHSA-wx3j-3v2j-rf45](Security advisory)

Assigned CVE: [https://nvd.nist.gov/vuln/detail/CVE-2023-41894](CVE-2023-41894)

Discovered by: https://cure53.de/ (Funded by [https://www.nabucasa.com/](Nabu Casa))

Fixed in: Home Assistant Core 2023.9

2023-10-19: Fake WS server installation permits full takeover

Severity: Critical

Detailed information: [https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q](Security advisory)

Assigned CVE: [https://nvd.nist.gov/vuln/detail/CVE-2023-41896](CVE-2023-41896)

Discovered by: https://cure53.de/ (Funded by [https://www.nabucasa.com/](Nabu Casa))

Fixed in: Home Assistant Core 2023.9 & home-assistant-js-websocket 8.2.0 (npm)

2023-10-19: Lack of XFO header allows clickjacking

Severity: Critical

Detailed information: _[https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw](Security advisory)

Assigned CVE: [https://nvd.nist.gov/vuln/detail/CVE-2023-41897](CVE-2023-41897)

Discovered by: https://cure53.de/ (Funded by [https://www.nabucasa.com/](Nabu Casa))

Fixed in: Home Assistant Core 2023.9

2023-03-08: Authentication bypass Supervisor API

Severity: Critical (CVSS: 10.0)

Detailed information: [https://github.com/home-assistant/core/security/advisories/GHSA-2j8f-h4mr-qr25](Security advisory)

Assigned CVE: [https://nvd.nist.gov/vuln/detail/CVE-2023-27482](CVE-2023-27482)

Discovered by: [https://jsur.in/](Joseph Surin) from https://www.elttam.com/

Fixed in: Home Assistant Core 2023.3.2, Home Assistant Supervisor 2023.03.3

2017-10-11: Cross-site scripting in Markdown output

Severity: Medium (CVSS: 6.1)

Detailed information: [https://github.com/home-assistant/frontend/pull/514](Pull request)

Assigned CVE: [https://nvd.nist.gov/vuln/detail/CVE-2017-16782](CVE-2017-16782)

Discovered by: Marcin Teodorczyk from https://intive.com/

Fixed in: Home Assistant Core 0.57

This security page is heavily inspired by the one from https://octoprint.org. ❤️ If you are into 3D printing, check them out!

Help us improve our documentation#feedback_section

Suggest an edit to this page, or provide/view feedback for this page.

• https://github.com/home-assistant/home-assistant.io/tree/current/source/security/index.markdown

• [https://github.com/home-assistant/home-assistant.io/issues/new?template=feedback.yml&url=https%3A%2F%2Fwww.home-assistant.io%2Fsecurity%2F&version=2026.3.4&labels=current]( Provide feedback)

• [https://github.com/home-assistant/home-assistant.io/issues?utf8=%E2%9C%93&q=%22%2Fsecurity%2F%22&in=body]( View given feedback)