ha-mcp OAuth beta, Server-Side Request Forgery (SSRF), CVE-2026-32111 (Medium)

Listen to this Post

The ha-mcp OAuth consent form, a beta feature, accepts a user-supplied `ha_url` and makes an unvalidated server-side HTTP request to `{ha_url}/api/config` . An unauthenticated attacker can exploit this to perform internal network reconnaissance via an error oracle, where different exception types (ConnectionError, Timeout, HTTP 401/403/400+) reveal if a host is up, ports are open, or services are alive . This same primitive exists in two other code paths: REST and WebSocket tool calls that use forged, unsigned OAuth tokens containing an arbitrary `ha_url` . The REST path makes requests to hardcoded API paths (/config, /states) on the attacker-specified host, while the WebSocket path attempts a handshake to `ws://{ha_url}/api/websocket` . The standard deployment method with a pre-configured `HOMEASSISTANT_TOKEN` is not affected .

DailyCVE Form:

Platform: ha-mcp OAuth beta
Version: < 7.0.0
Vulnerability: SSRF via ha_url
Severity: Medium (5.3 CVSS)
Date: March 11, 2026

Prediction: Patch already available

What Undercode Say:

Analytics:

  • CVE Published: 2026-03-11
  • CVSS Score: 5.3 (Medium)
  • Attack Vector: Network
  • Privileges Required: None
  • User Interaction: None
  • CWE: 918 (Server-Side Request Forgery)
  • Fix Version: 7.0.0

Exploit:

  1. Error Oracle Recon: Register a client via open DCR (POST /register), extract a txn_id, and submit arbitrary `ha_url` values (e.g., `http://internal.service:8080`) to the consent form. Analyze the distinct error messages returned.
  2. Forged Token REST Probe: Base64-decode an existing OAuth token to view the `{“ha_url”: “…”, “ha_token”: “…”}` JSON. Forge a new token by replacing the `ha_url` with an internal address, re-encode it, and use it to call REST tools, which will request `/config` from the target.
  3. WebSocket Pivot: Use the same forged token to trigger a WebSocket connection to `ws:///api/websocket` and observe the protocol handshake failure to confirm the service is not Home Assistant.

Protection from this CVE:

  • Upgrade ha-mcp to version 7.0.0 or later .
  • If unable to patch immediately, disable the beta OAuth feature and rely on the standard deployment method using `HOMEASSISTANT_URL` and `HOMEASSISTANT_TOKEN` .
  • Implement network segmentation to restrict outbound traffic from the server running ha-mcp.

Impact:

  • Internal Network Reconnaissance: An unauthenticated attacker can scan and map internal hosts, open ports, and identify live services from the server’s network position .
  • Security Boundary Bypass: The attack allows probing of internal infrastructure that should not be accessible from the external network.
  • Limited Pivoting: In specific scenarios, an attacker could potentially interact with other Home Assistant instances on the internal network .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top