Authentication Bypass Vulnerability in HomeBox by Sysadmins Media
CVE-2026-27981

7.4HIGH

Key Information:

Vendor: Sysadminsmedia
Status: Homebox
Vendor: CVE Published:; 3 March 2026

🔔 Create Sysadminsmedia Vulnerability Alert

What is CVE-2026-27981?

HomeBox, a home inventory and organization system, has an authentication vulnerability affecting versions prior to 0.24.0. The issue arises from the way the system tracks failed authentication attempts based on client IP addresses. Attackers can exploit this by forging the X-Real-IP header, bypassing the rate limiting mechanism. Although there is a TrustProxy configuration option, it remains unused in the rate limiter logic, which leads to potential unauthorized access. This vulnerability has been addressed in version 0.24.0.

Affected Version(s)

homebox < 0.24.0

References

https://github.com/sysadminsmedia/homebox/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 3, 2026
Vulnerability Reserved
Feb 25, 2026

CVE-2026-27981 Data

JSON