Cross-Origin JavaScript Execution Vulnerability in Home Assistant Companion Apps for iOS and Android
CVE-2026-44698

8.3HIGH

Key Information:

Vendor: Home-assistant
Status: Core; Companion App (iOS); Companion App (android)
Vendor: CVE Published:; 29 May 2026

🔔 Create Home-assistant Vulnerability Alert

What is CVE-2026-44698?

The Home Assistant Companion apps for iOS and Android experience a security flaw that allows a cross-origin iframe to execute arbitrary JavaScript within the main application context. This occurs due to the presence of an exposed JavaScript bridge that improperly handles unsanitized user input. This flaw could enable attackers to access sensitive user data, including access tokens, thus compromising user privacy and security. Mitigations have been implemented in versions 2026.4.1 for iOS and 2026.4.4 for Android to rectify the issue.

Affected Version(s)

Companion app (Android) < 2026.4.4

Companion app (iOS) < 2026.4.1

core < 2026.4.4

References

https://github.com/home-assistant/core/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44698 Data

JSON