Home Assistant Platform Vulnerable to Remote Operation

Critical Vulnerability in Home Assistant Supervisor Component Discovered

A critical vulnerability (CVE-2023-27482) has been uncovered in the Home Assistant Supervisor component, according to a disclosure on the Home Assistant website. This vulnerability allows attackers to bypass authentication and gain full access to the privileged API supervisor, through which they can modify settings, install and update software, control additions, and backups.

The vulnerability affects installations that use the Supervisor component and has been present since its first release in 2017. It is present in the Home Assistant OS and Home Assistant Supervised environments, but does not affect Home Assistant Container or manually created Python-based installations.

The Home Assistant development team has released a fix for the vulnerability in the form of Home Assistant Supervisor 2023.01.1. Additionally, a bypass option has been included in the production of Home Assistant 2023.3.0. For systems where it is not possible to install the update to block the vulnerability, access to the Home Assistant Web Service from external networks can be limited.

Users are urged to update their installations as soon as possible to stay protected from this critical vulnerability.

/Reports, release notes, official announcements.