Listen to this Post
The ha-mcp OAuth consent form, a beta feature, accepts a user-supplied `ha_url` and makes an unvalidated server-side HTTP request to `{ha_url}/api/config` . An unauthenticated attacker can exploit this to perform internal network reconnaissance via an error oracle, where different exception types (ConnectionError, Timeout, HTTP 401/403/400+) reveal if a host is up, ports are open, or services are alive . This same primitive exists in two other code paths: REST and WebSocket tool calls that use forged, unsigned OAuth tokens containing an arbitrary `ha_url` . The REST path makes requests to hardcoded API paths (/config, /states) on the attacker-specified host, while the WebSocket path attempts a handshake to `ws://{ha_url}/api/websocket` . The standard deployment method with a pre-configured `HOMEASSISTANT_TOKEN` is not affected .
DailyCVE Form:
Platform: ha-mcp OAuth beta
Version: < 7.0.0
Vulnerability: SSRF via ha_url
Severity: Medium (5.3 CVSS)
Date: March 11, 2026
Prediction: Patch already available
What Undercode Say:
Analytics:
- CVE Published: 2026-03-11
- CVSS Score: 5.3 (Medium)
- Attack Vector: Network
- Privileges Required: None
- User Interaction: None
- CWE: 918 (Server-Side Request Forgery)
- Fix Version: 7.0.0
Exploit:
- Error Oracle Recon: Register a client via open DCR (
POST /register), extract atxn_id, and submit arbitrary `ha_url` values (e.g., `http://internal.service:8080`) to the consent form. Analyze the distinct error messages returned. - Forged Token REST Probe: Base64-decode an existing OAuth token to view the `{“ha_url”: “…”, “ha_token”: “…”}` JSON. Forge a new token by replacing the `ha_url` with an internal address, re-encode it, and use it to call REST tools, which will request `/config` from the target.
- WebSocket Pivot: Use the same forged token to trigger a WebSocket connection to `ws://
/api/websocket` and observe the protocol handshake failure to confirm the service is not Home Assistant.
Protection from this CVE:
- Upgrade ha-mcp to version 7.0.0 or later .
- If unable to patch immediately, disable the beta OAuth feature and rely on the standard deployment method using `HOMEASSISTANT_URL` and `HOMEASSISTANT_TOKEN` .
- Implement network segmentation to restrict outbound traffic from the server running ha-mcp.
Impact:
- Internal Network Reconnaissance: An unauthenticated attacker can scan and map internal hosts, open ports, and identify live services from the server’s network position .
- Security Boundary Bypass: The attack allows probing of internal infrastructure that should not be accessible from the external network.
- Limited Pivoting: In specific scenarios, an attacker could potentially interact with other Home Assistant instances on the internal network .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

