GHSA-Q855-8RH5-JFGQ: Missing Authentication and CSRF in ha-mcp bare root settings and policy routes
Vulnerability ID: GHSA-Q855-8RH5-JFGQ
CVSS Score: 6.5
Published: 2026-07-07
The ha-mcp add-on for Home Assistant exposes its settings and security policy routes without authentication at the bare root path of TCP port 9583. This exposure allows unauthorized adjacent network clients to reconfigure tools, alter policies, and bypass human-in-the-loop approval gates. The vulnerability has been addressed in development build 7.6.0.dev393 and subsequent releases by restricting access to root-mounted routes exclusively to the Supervisor Ingress IP.
TL;DR
The ha-mcp add-on exposes administrative and policy endpoints on port TCP/9583 without authentication. Network-adjacent attackers can alter tool configurations, modify feature flags, and bypass human-in-the-loop approval gates by accessing the bare root endpoints directly.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-306, CWE-352
- Attack Vector: Network
- CVSS v3.1 Score: 6.5
- EPSS Score: 0.00045
- Impact: Bypass of Policy Controls & Tool Reconfiguration
- Exploit Status: PoC Available
- KEV Status: Not Listed
Affected Systems
- ha-mcp (Home Assistant Add-on)
-
ha-mcp: <= 7.6.0 (Fixed in:
7.6.0.dev393)
Code Analysis
Commit: 9f5b085
Add IP check for root-mounted routes to ensure they only come from HA Supervisor Ingress
--- a/src/ha_mcp/settings_ui.py\n+++ b/src/ha_mcp/settings_ui.py\n@@ -1,3 +1,24 @@\n+SUPERVISOR_INGRESS_IP = \"172.30.32.2\"\n+\n+def _ingress_only(handler):\n+ async def _guarded(request):\n+ peer = request.client.host if request.client else None\n+ if peer != SUPERVISOR_INGRESS_IP:\n+ return JSONResponse({\"error\": \"Unauthorized\"}, status_code=403)\n+ return await handler(request)\n+ return _guarded
Exploit Details
- GitHub Study Repository: Safe lab verification probe to identify exposure of bare-root administrative endpoints.
Mitigation Strategies
- Upgrade the ha-mcp add-on to version 7.6.0.dev393 or later to apply the IP-based ingress guard.
- Disable port mapping or host network exposure for TCP port 9583 if external direct access is not required.
- Configure host-level firewall rules to block direct incoming TCP traffic on port 9583 from external interfaces.
Remediation Steps:
- Open the Home Assistant Settings dashboard and navigate to Add-ons.
- Select the ha-mcp add-on from the list of installed applications.
- Check the current version. If the version is <= 7.6.0 and does not contain the dev393 patch, click 'Update'.
- Under the 'Configuration' tab, verify if the port 9583 is exposed to the host network. If possible, disable or restrict this port mapping.
- Restart the add-on to apply the configuration and software updates.
References
- GitHub Security Advisory GHSA-Q855-8RH5-JFGQ
- Remediation Pull Request #1508
- Fix Commit 9f5b085
- Independent Ingress Boundary Study Repository
- Research Root-Cause Analysis Document
- Research Remediation Analysis Document
- Safe Lab Reproducer Probe
- Sigma Detection Rule
- Microsoft Sentinel Detection Rule
- Splunk SPL Detection Rule
- Disclosure Timeline
Read the full report for GHSA-Q855-8RH5-JFGQ on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)