CVE-2026-44698— Home Assistant: Cross-origin iframe access token exfiltration via WebView JS bridge callback injection
Possible ATT&CK Techniques 1AI
T1530 · Data from Cloud StorageGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44698
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Home Assistant: Cross-origin iframe access token exfiltration via WebView JS bridge callback injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and webkit.messageHandlers.getExternalAuth (alongside revokeExternalAuth and externalBus) on iOS. Two flaws expose the bridge to all frames (including cross-origin iframes) and unsanitized interpolation of the JavaScript callback identifier allows a cross-origin iframe rendered inside the Companion app to execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin and exfiltrate the signed-in user's access token. This vulnerability is fixed in 2026.4.1 for iOS and 2026.4.4 for Android.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| home-assistant | core | < 2026.4.4 | - | |
| Home Assistant | Companion app (iOS) | < 2026.4.1 | - | |
| Home Assistant | Companion app (Android) | < 2026.4.4 | - |
II. Public POCs for CVE-2026-44698
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44698
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-44698 (1)
IV. Related Vulnerabilities
Same product: core
- CVE-2026-44473
Ella Core: UE Downlink Redirection via Forged PDUSessionReso - CVE-2026-44475
Ella Core: UE Security Capability bypass on NGAP PathSwitchR - CVE-2026-44474
Ella Core: Handover failures during concurrent Security Mode - CVE-2026-45158
OPNsense: Command Injection via Attacker-Controlled DHCP Con - CVE-2026-44194
OPNsense: RCE on user managment
Same vendor: home-assistant
- CVE-2021-47942
Home Assistant Community Store 1.10.0 Path Traversal Account - CVE-2026-34205
Home Assistant: Unauthenticated App (Add-on) Endpoints Expos - CVE-2026-33045
Home Assistant has stored XSS in history-graphs - CVE-2026-33044
Home Assistant has stored XSS in Map-card through malicious - CVE-2025-62172
Home Assistant vulnerable to Stored XSS in Energy dashboard
Same weakness: CWE-94
- CVE-2026-41159
Mermaid: Improper sanitization of configuration leads to CSS - CVE-2026-45555
Roslyn CodeLens MCP Server: Untrusted Roslyn Analyzer Execut - CVE-2026-43898
SandboxJS: Sandbox escape via Function.caller leakage of int - CVE-2026-45311
CodeWhale: run_tests Tool Enables RCE via Malicious Reposito - CVE-2026-45374
CodeWhale: task_create Insecure Defaults Enable RCE via Prom
V. Comments for CVE-2026-44698
No comments yet