Authentication Bypass in Home Assistant's Konnected Integration
CVE-2026-54317

7.6HIGH

Key Information:

Vendor: Home-assistant
Status: Core
Vendor: CVE Published:; 23 June 2026

🔔 Create Home-assistant Vulnerability Alert

What is CVE-2026-54317?

The Konnected integration in Home Assistant, an open-source home automation software, previously allowed unauthorized access to sensitive functions due to a lack of proper authentication checks for GET requests. While write requests (POST and PUT) validate against an access token, the read requests (GET) were exposed, letting attackers potentially access crucial data. This issue has been resolved in the 2026.6.0 update, emphasizing the importance of robust security measures in IoT devices.

Affected Version(s)

core < 2026.6.0

References

https://github.com/home-assistant/core/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 12, 2026

CVE-2026-54317 Data

JSON