DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-Q855-8RH5-JFGQ: GHSA-Q855-8RH5-JFGQ: Missing Authentication and CSRF in ha-mcp bare root settings and policy routes

GHSA-Q855-8RH5-JFGQ: Missing Authentication and CSRF in ha-mcp bare root settings and policy routes

Vulnerability ID: GHSA-Q855-8RH5-JFGQ
CVSS Score: 6.5
Published: 2026-07-07

The ha-mcp add-on for Home Assistant exposes its settings and security policy routes without authentication at the bare root path of TCP port 9583. This exposure allows unauthorized adjacent network clients to reconfigure tools, alter policies, and bypass human-in-the-loop approval gates. The vulnerability has been addressed in development build 7.6.0.dev393 and subsequent releases by restricting access to root-mounted routes exclusively to the Supervisor Ingress IP.

TL;DR

The ha-mcp add-on exposes administrative and policy endpoints on port TCP/9583 without authentication. Network-adjacent attackers can alter tool configurations, modify feature flags, and bypass human-in-the-loop approval gates by accessing the bare root endpoints directly.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-306, CWE-352
  • Attack Vector: Network
  • CVSS v3.1 Score: 6.5
  • EPSS Score: 0.00045
  • Impact: Bypass of Policy Controls & Tool Reconfiguration
  • Exploit Status: PoC Available
  • KEV Status: Not Listed

Affected Systems

  • ha-mcp (Home Assistant Add-on)
  • ha-mcp: <= 7.6.0 (Fixed in: 7.6.0.dev393)

Code Analysis

Commit: 9f5b085

Add IP check for root-mounted routes to ensure they only come from HA Supervisor Ingress

--- a/src/ha_mcp/settings_ui.py\n+++ b/src/ha_mcp/settings_ui.py\n@@ -1,3 +1,24 @@\n+SUPERVISOR_INGRESS_IP = \"172.30.32.2\"\n+\n+def _ingress_only(handler):\n+    async def _guarded(request):\n+        peer = request.client.host if request.client else None\n+        if peer != SUPERVISOR_INGRESS_IP:\n+            return JSONResponse({\"error\": \"Unauthorized\"}, status_code=403)\n+        return await handler(request)\n+    return _guarded
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade the ha-mcp add-on to version 7.6.0.dev393 or later to apply the IP-based ingress guard.
  • Disable port mapping or host network exposure for TCP port 9583 if external direct access is not required.
  • Configure host-level firewall rules to block direct incoming TCP traffic on port 9583 from external interfaces.

Remediation Steps:

  1. Open the Home Assistant Settings dashboard and navigate to Add-ons.
  2. Select the ha-mcp add-on from the list of installed applications.
  3. Check the current version. If the version is <= 7.6.0 and does not contain the dev393 patch, click 'Update'.
  4. Under the 'Configuration' tab, verify if the port 9583 is exposed to the host network. If possible, disable or restrict this port mapping.
  5. Restart the add-on to apply the configuration and software updates.

References


Read the full report for GHSA-Q855-8RH5-JFGQ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)