CVE-2023-50715
published 2023-12-15CVE-2023-50715: Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated…
PriorityP420medium4.3CVSS 3.1
AVAACLPRNUINSUCLINAN
EPSS
0.91%
55.4th percentile
Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue.
When starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when the request is not authenticated and the request originated locally, meaning on the Home Assistant host local subnet or any other private subnet. The rationale behind this is to make the login more user-friendly and an experience better aligned with other applications that have multiple user-profiles.
However, as a result, all accounts are displayed regardless of them having logged in or not and for any device that navigates to the server. This disclosure is mitigated by the fact that it only occurs for requests originating from a LAN address. But note that this applies to the local subnet where Home Assistant resides and to any private subnet that can reach it.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| home-assistant | core | < 2023.12.3 | 2023.12.3 |
| home-assistant | home-assistant | < 2023.12.3 | 2023.12.3 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
ghsa4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN
ghsa·2026-06-19·CVSS 4.3
CVE-2026-54317 [MEDIUM] CWE-200 Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN
Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN
### Summary
The Konnected integration registers an HTTP endpoint, `KonnectedView` (`homeassistant/components/konnected/__init__.py`), that is marked as **not requiring authentication** (`requires_auth = False`). A comment next to that line says auth is instead handled "via the access token from configuration."
That promise is only half true:
- **Write requests (POST and PUT)** are handled by `update_sensor()`, which *does* check the request's `Authorization: Bearer ` header against the integration's stored access tokens (using `hmac.compare_digest`).
- **Read requests (GET)** are handled by a separate `get()` method that has **no authentication check at all.**
By sending
GHSA
User accounts disclosed to unauthenticated actors on the LAN
ghsa·2023-12-15
CVE-2023-50715 [MEDIUM] CWE-200 User accounts disclosed to unauthenticated actors on the LAN
User accounts disclosed to unauthenticated actors on the LAN
### Summary
The login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network.
### Details
Starting the [Home Assistant 2023.12 release](https://www.home-assistant.io/blog/2023/12/06/release-202312/), the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when:
- The request is not authenticated and
- The request originated locally, meaning on the Home Assistant host local subnet or any other private subnet (`10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fd00::/8, ::ffff:10.0.0.0/104, ::ffff:172.16.0.0/108, ::ffff:192.168.0.0/112`)
The rationale behind this is to make the login more u
OSV
User accounts disclosed to unauthenticated actors on the LAN
osv·2023-12-15
CVE-2023-50715 [MEDIUM] User accounts disclosed to unauthenticated actors on the LAN
User accounts disclosed to unauthenticated actors on the LAN
### Summary
The login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network.
### Details
Starting the [Home Assistant 2023.12 release](https://www.home-assistant.io/blog/2023/12/06/release-202312/), the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when:
- The request is not authenticated and
- The request originated locally, meaning on the Home Assistant host local subnet or any other private subnet (`10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fd00::/8, ::ffff:10.0.0.0/104, ::ffff:172.16.0.0/108, ::ffff:192.168.0.0/112`)
The rationale behind this is to make the login more u
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/home-assistant/core/commit/dbfc5ea8f96bde6cd165892f5a6a6f9a65731c76https://github.com/home-assistant/core/security/advisories/GHSA-jqpc-rc7g-vf83https://github.com/home-assistant/core/commit/dbfc5ea8f96bde6cd165892f5a6a6f9a65731c76https://github.com/home-assistant/core/security/advisories/GHSA-jqpc-rc7g-vf83
2023-12-15
Published