Unauthenticated Information Disclosure in Homarr Dashboard
CVE-2026-27796

5.3MEDIUM

Key Information:

Vendor

Homarr-labs

Status
Homarr
Vendor
CVE Published:
7 March 2026

What is CVE-2026-27796?

The Homarr dashboard is affected by a security issue where the integration.all tRPC endpoint is publicly exposed as a publicProcedure. This flaw allows unauthenticated users to access a complete list of configured integrations. The disclosed metadata can include sensitive details such as internal service URLs, specific integration names, and corresponding service types, posing a potential risk if exploited. The vulnerability has been resolved in version 1.54.0.

Affected Version(s)

homarr < 1.54.0

References

https://github.com/homarr-labs/homarr/security/advisories...
x_refsource_CONFIRM
https://github.com/homarr-labs/homarr/commit/91fc5a5c7471...
x_refsource_MISC
https://github.com/homarr-labs/homarr/releases/tag/v1.54.0
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.