Home Assistant: Smartphone apps allow takeover by attackers
The companion apps for Android and iOS create a security vulnerability in Home Assistant. Attackers could take over instances.
(Image: heise medien)
Anyone controlling Home Assistant with the companion apps on Android or iOS should apply the available update as soon as possible. The update for the apps closes a security vulnerability through which attackers can intercept an access token and thus take over the complete Home Assistant instance.
Details are provided by a security advisory in Home Assistant's GitHub repository; the CVE vulnerability entry was made public over the weekend (CVE-2026-44698, CVSS 8.3, risk “high”). The security advisory describes the vulnerability as Cross-Origin IFrame Token Exfiltration via WebView JavaScript Bridge Callback Injection. Slightly less technical: An iframe, for example, from an external app integrated into Home Assistant, can execute arbitrary JavaScript code within the companion app in the main frame due to the vulnerability, thereby leaking the logged-in user's access token. Attackers can then impersonate this user and take control, depending on the user's role, even the complete instance.
The developers describe the attack scenario as follows: a victim has installed the Home Assistant companion app and is logged into the server. Additionally, the victim has added a webpage (iframe) card to a dashboard that links to a third-party website, which attackers can control – either directly or after a breach of such a service. The victim opens the dashboard, whereupon the access token is transmitted to the attackers. The attacker then uses the token to access the Home Assistant REST API with the rights of the logged-in user.
Updated software resolves the problem
The Home Assistant companion apps in version 2026.4.4 for Android and 2026.4.1 for iOS fix the vulnerability. Those who cannot immediately switch to the updated apps should remove any webpage cards from their dashboards and avoid embedding third-party URLs, for example, for weather widgets, status pages, or external dashboards.
Videos by heise
For those interested in smart home control using Home Assistant and looking for a way to get started, a detailed Home Assistant introduction can be found here.
