Summary
ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path
Full technical description
In add-on mode, the ha-mcp settings UI routes are mounted both under the MCP secret path and at the bare root of the published port (:9583), so Home Assistant ingress can serve the "Open Web UI" button. The root-mounted routes perform no authentication, no secret, no Origin check, no CSRF token, so any client that can reach :9583 without the MCP secret can invoke them.
Affected configurations
Home Assistant add-on installations (host_network: true with port 9583 published), v7.6.0 and earlier. Docker and standalone installs are not affected, there the settings routes are mounted only under the secret path.
Root-mounted routes in affected versions: tool visibility (/api/settings/tools GET/POST), feature flags (/api/settings/features GET/POST), the auto-backup suite (/api/settings/backups… incl. restore/delete, and /api/settings/backup-config), add-on restart (/api/settings/restart), and, when the opt-in Tool Security Policies feature is enabled, the approval-policy API (/api/policy/config GET/PUT, /api/policy/approve, /api/policy/deny, …).
Proof of concept
With the add-on running and reachable on :9583, from any host that can reach the port without the secret:
GET /api/settings/tools -> 200 (read tool config, no auth)
POST /api/settings/tools {"states":{}} -> 200 (rewrite tool config, no auth / no CSRF token)
POST /api/settings/restart -> 200 (restart the add-on)
The MCP endpoint itself remains correctly protected by the secret path.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L = 6.4 (Moderate). Confidentiality impact is None, tool config and backups are not secrets or credentials; integrity and availability impacts are Low, configuration changes and an add-on restart are recoverable.
Credit
Reported by @bharat.
Impact
Without authentication, a caller that reaches :9583, a peer on the local network, a reverse proxy/tunnel that forwards the bare root path (e.g. a whole-host Cloudflared config), or a CSRF POST from a page open in a LAN browser, can read or change which MCP tools are exposed, toggle feature flags, list/view/restore/delete backups, restart the add-on, and (with Tool Security Policies enabled) read and rewrite the approval policy, disabling the human-approval gate on gated tools.
There is no access to Home Assistant data, entities, or credentials, and no code execution. All effects are confined to the add-on's own configuration and lifecycle and are recoverable. The primary (same-LAN) vector is within the add-on's documented trusted-network model; remote reachability requires the operator to have reverse-proxied the bare port.
A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.
GHSA-Q855-8RH5-JFGQ has a CVSS score of 6.5 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (7.10.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Fixed in PR homeassistant-ai/ha-mcp#1508 (merged to master): the root-mounted add-on routes are restricted to Home Assistant ingress, which always originates from the Supervisor (172.30.32.2); every other caller receives 403. Direct and remote access continue to use the settings UI under the MCP secret path (…/<secret>/settings), so the "Open Web UI" button, Cloudflared, and the Webhook Proxy add-on are unaffected.
The fix will ship in the next stable add-on release. If you'd rather have it now, it is already on the dev channel (add-on dev build 7.6.0.dev393 or later), optional; there's no need to switch channels just for this, it is a fairly low risk surface and only exposes the web UI for addon mode only.
Frequently Asked Questions
- What is GHSA-Q855-8RH5-JFGQ? GHSA-Q855-8RH5-JFGQ is a medium-severity missing authentication for critical function vulnerability in ha-mcp (pip), affecting versions < 7.10.0. It is fixed in 7.10.0. A critical operation is accessible without requiring any authentication.
- How severe is GHSA-Q855-8RH5-JFGQ? GHSA-Q855-8RH5-JFGQ has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of ha-mcp are affected by GHSA-Q855-8RH5-JFGQ? ha-mcp (pip) versions < 7.10.0 is affected.
- Is there a fix for GHSA-Q855-8RH5-JFGQ? Yes. GHSA-Q855-8RH5-JFGQ is fixed in 7.10.0. Upgrade to this version or later.
- Is GHSA-Q855-8RH5-JFGQ exploitable, and should I be worried? Whether GHSA-Q855-8RH5-JFGQ is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-Q855-8RH5-JFGQ is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-Q855-8RH5-JFGQ? Upgrade
ha-mcpto 7.10.0 or later.