CVE-2026-54317 is a high-severity missing authentication for critical function vulnerability in homeassistant (pip), affecting versions < 2026.6.0. It is fixed in 2026.6.0.
Summary The Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant/components/konnected/init.py), that is marked as not requiring authentication (requiresauth = False). A comment next to that line says auth is instead handled "via the access token from configuration." That promise is only half true: Write requests (POST and PUT) are handled by updatesensor(), which does check the request's Authorization: Bearer <token> header against the integration's stored access tokens (using hmac.comparedigest). Read requests (GET) are handled by a separate get() method that has no authentication check at all. By sending GET requests to /api/konnected/device/{deviceid}?zone=N, any unauthenticated client on the LAN can: Enumerate configured Konnected device IDs, the endpoint returns a clean 404-vs-200 difference that acts as an oracle for which devices exist. Read switch output states, the on/off state of every switch output (siren, strobe, and relay outputs of the alarm panel). Read the panel's zone topology, how the alarm panel's zones are configured. Trigger panel connections, each unauthenticated GET forces one outbound panel.asyncconnect() call to the Konnected hardware on the LAN. The same URL that correctly rejects unauthenticated POST and PUT requests silently serves unauthenticated GET requests, leaking alarm-panel state and device topology to anyone who can reach Home Assistant's HTTP port (8123 on the LAN by default). Details This is the threat-model boundary "unauth to auth" the upstream security policy treats as fileable. The same boundary produced CVE-2026-34205 (Unauthenticated app endpoints exposed to local network via host network mode, CVSS 9.7 CRITICAL, March 2026) and CVE-2023-50715 (User accounts disclosed to unauthenticated actors on the LAN, CVSS 4.2 MODERATE, December 2023). The Konnected gap is structurally identical: a HomeAssistantView with requiresauth = False that returns information about configured devices to anyone who can reach the HTTP port. Confirmed end-to-end against ghcr.io/home-assistant/home-assistant:2026.5.2. The Proof of Concept section below has seven captures. Step 1 cites the three load-bearing source ranges (view registration, the auth check that only POST/PUT use, the GET handler that omits it). Step 2 is the control: POST and PUT on the same URL return 401 unauthorized without a Bearer token, proving the integration does have an auth check, just only on the write methods. Step 3 is the bug: GET on the same URL with no Authorization header returns 200 {"zone":"5","state":1} for the siren-output zone, equivalent payload for the strobe and relay-output zones. Step 4 exercises the enumeration oracle: unknown deviceid returns a 404 with a distinct message from a known deviceid with an unknown zone, which a brute-forcer uses to map the device-ID and zone space. Step 5 captures the connection-amplification side effect by firing 10 unauthenticated GETs and observing 10 panel.asyncconnect() invocations on the panel side. Step 6 shows that a deliberately wrong Authorization header produces the same response as no header at all, confirming the auth header is not consulted on GET. Step 7 captures the HA startup log line that registers KonnectedView. Threat model Home Assistant's HTTP server binds to the LAN at port 8123 by default. A Konnected alarm panel is a wired smart-home hardware product whose primary use case is alarm and security: zones 1-6 typically read door/window/glass-break sensors, switches 5-8 drive siren, strobe, and relay outputs that control the alarm itself or external systems such as garage-door openers, entry chimes, or armed-disable interlocks. The state an attacker reads through this bug is precisely the live status of those outputs and inputs. The attacker model upstream policy explicitly treats as in-scope is the LAN-adjacent unauthenticated client: a guest who joined the wifi, a neighbor on shared coffee-shop wifi, a malicious device that reached the LAN via a separately compromised IoT product, an attacker who landed via a flat office network, or an attacker who pivoted from a VPN endpoint. None of these positions grant an access token. All of them grant the network reachability the bug requires. The same endpoint is the receiver for legitimate push updates from the Konnected hardware, which is why requiresauth = False exists in the first place. The intent was to enforce a shared access token on the body. That intent is present in updatesensor() and absent in get(). Impact Alarm-system reconnaissance enabling physical intrusion. A 200 {"zone":"5","state":1} response on the siren zone tells an attacker the siren is firing right now, which means a burglary is in progress and the operator may be away or distracted. A state:0 on the same zone says the panel is quiet. The same applies to strobes, armed-disable relays, and any switch the operator wired through Konnected. This is the intelligence a physical attacker explicitly seeks before entering a property. Topology disclosure. Probing zones 1 through 12 across a known deviceid maps the alarm panel: which zones are sensors, which are switches, which switches are configured for which output. Combined with manufacturer documentation, the topology tells an attacker which physical control points to bypass. Device ID brute force. The 404 "Device <id> not configured" oracle on unknown IDs versus 404 "Switch on zone or pin <n> not configured" on known IDs with unknown zones, versus 200 with state on full hits, is a clean four-state oracle. Konnected hardware derives deviceid from its NIC MAC address; production hardware ships with a small set of manufacturer OUI prefixes. The brute force space is on the order of 2^24, trivially scannable from any LAN host with no rate limit. Outbound connection amplification. Line 397 of init.py fires hass.asynccreatetask(panel.asyncconnect()) on every successful GET. An unauth attacker drives N outbound connect attempts toward the (typically LAN-private) Konnected hardware with N unauth GETs, no rate limit, no auth log. A 10-rps sustained scan produces a constant connect storm against the panel hardware that, depending on Konnected firmware, may interfere with legitimate push delivery or cause spurious connect/disconnect cycles visible in the operator's notification stream. No auth trail. The GET handler logs nothing at INFO level. An attacker can probe this endpoint at arbitrary depth and leave no record in home-assistant.log unless DEBUG logging is enabled for the integration. Affected code homeassistant/components/konnected/init.py:296-301, the view registration. The comment on line 301 is load-bearing for the bug: it says auth happens via the configured access token, but that promise is only kept on the POST/PUT path. homeassistant/components/konnected/init.py:313-335, the auth check that lives inside updatesensor(). POST and PUT call this; GET does not. homeassistant/components/konnected/init.py:385-438, the GET handler with no authentication. Note line 397 firing panel.asyncconnect() before any reachable auth check and before any rate-limit logic. The four-state response oracle that powers the brute force: | Probe | Response | Status | |---|---|---| | Unknown deviceid | {"message":"Device <id> not configured"} | 404 | | Known deviceid, no zone or pin parameter | {"message":"Switch on zone or pin unknown not configured"} | 404 | | Known deviceid, unknown zone | {"message":"Switch on zone or pin <n> not configured"} | 404 | | Known deviceid, known zone | {"zone":"<n>","state":0\|1} | 200 | homeassistant/components/konnected/const.py:45, the URL pattern: Proof of concept Reproduction environment is a single Docker container of Home Assistant Core 2026.5.2 with a small customcomponents/konnectedpoc/ shim that primes hass.data[konnected] with a representative alarm-panel layout and registers the same KonnectedView class through hass.http.registerview. The shim does not change the bug surface; it is the same class the upstream integration registers at line 248. All seven evidence captures below come from one live run against the container. Environment Step 1: cite the three load-bearing source ranges inside the running container Step 2: control. POST and PUT on the same URL return 401 without a Bearer token The integration does enforce a Bearer-token check; the policy is just only applied to the write methods. Step 3: the bug. GET returns alarm-panel switch state with no Authorization header Three zones queried unauthenticated. Each returns the live binary state of a switch output on the configured Konnected alarm panel. Zone 5 is the siren output of the panel in this configuration. Zone 6 is the strobe. Zone 7 is the relay output wired to the garage arm-disable circuit. The unauthenticated attacker learns each output is currently active. Step 4: enumeration oracle. Three distinct response shapes power the brute force An attacker sweeping the deviceid space sees the Device <id> not configured message until a real device matches, at which point the Switch on zone or pin <n> not configured message starts appearing. Then a 12-iteration zone sweep maps the panel's full output topology. Step 5: connection amplification. N unauth GETs drive N outbound panel.asyncconnect() calls 10 unauthenticated GET requests at line rate. The panel.asyncconnect() invocations logged by the panel-side stub confirm line 397 of init.py fires unconditionally on every successful GET, before any reachable rate-limit logic and before any reachable auth check. A sustained scan trivially fills the operator's panel side with retry storms. In production the call is an outbound HTTPS connection to the Konnected hardware on the LAN. Step 6: the Authorization header is ignored on GET Identical responses with no header, a deliberately wrong header, and no header again. This rules out any caching artifact and confirms get() never reads the auth state. The wrong-Authorization case is the load-bearing one. If the GET handler ever consulted the header, it would either accept it (no, because the token is wrong) or reject it (no, because the response is 200 with state). The handler never reads request.headers["Authorization"]. Step 7: startup log confirms the view is registered and the integration is loaded The konnected integration shipped in core 2026.5.2 is loaded normally. The konnectedpoc shim runs after it, registering the same KonnectedView class through hass.http.registerview and seeding hass.data[konnected][devices] with a representative alarm-panel configuration. The bug surface is the same KonnectedView class the upstream integration registers at init.py:248 on every production install. Workaround Migrate to the EspHome integration, as suggested in the existing repair issue for the Konnected integration. Fix The Konnected integration was removed in Home Assistant Core 2026.6.0. It had been deprecated for some time.
A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.
CVE-2026-54317 has a CVSS score of 7.6 (High). The vector is reachable from an adjacent network, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (2026.6.0). Upgrading removes the vulnerable code path.
pip
homeassistant (< 2026.6.0)homeassistant → 2026.6.0 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-54317 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-54317 is reachable in your applications. Get a demo
Upgrade homeassistant to 2026.6.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-54317 is a high-severity missing authentication for critical function vulnerability in homeassistant (pip), affecting versions < 2026.6.0. It is fixed in 2026.6.0. A critical operation is accessible without requiring any authentication.
CVE-2026-54317 has a CVSS score of 7.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
homeassistant (pip) versions < 2026.6.0 is affected.
Yes. CVE-2026-54317 is fixed in 2026.6.0. Upgrade to this version or later.
Whether CVE-2026-54317 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade homeassistant to 2026.6.0 or later.