Anyone controlling Home Assistant with the companion apps on Android or iOS should apply the available update as soon as possible. The update for the apps closes a security vulnerability through which attackers can intercept an access token and thus take over the complete Home Assistant instance.
Details are provided by a security advisory in Home Assistant's GitHub repository; the CVE vulnerability entry was made public over the weekend (CVE-2026-44698, CVSS 8.3, risk “high”). The security advisory describes the vulnerability as Cross-Origin IFrame Token Exfiltration via WebView JavaScript Bridge Callback Injection. Slightly less technical: An iframe, for example, from an external app integrated into Home Assistant, can execute arbitrary JavaScript code within the companion app in the main frame due to the vulnerability, thereby leaking the logged-in user's access token. Attackers can then impersonate this user and take control, depending on the user's role, even the complete instance.
The developers describe the attack scenario as follows: a victim has installed the Home Assistant companion app and is logged into the server. Additionally, the victim has added a webpage (iframe) card to a dashboard that links to a third-party website, which attackers can control – either directly or after a breach of such a service. The victim opens the dashboard, whereupon the access token is transmitted to the attackers. The attacker then uses the token to access the Home Assistant REST API with the rights of the logged-in user.
