Listen to this Post
How CVE-2026-34205 Works
The Konnected integration in Home Assistant Core registers an HTTP endpoint (/api/konnected/device/{device_id}) via the `KonnectedView` class. This view is marked with requires_auth = False, with a comment indicating that authentication is handled “via the access token from configuration.” However, this promise is only partially implemented.
The integration contains two separate handler methods for the same URL:
– `update_sensor()` – handles POST and PUT requests. This method properly checks the `Authorization: Bearer hmac.compare_digest(), returning a `401 Unauthorized` if the token is missing or invalid.
– `get()` – handles GET requests. This method contains no authentication check whatsoever.
By sending unauthenticated GET requests to /api/konnected/device/{device_id}?zone=N, any client on the local network can:
– Enumerate configured device IDs – the endpoint returns a clean 404-vs-200 difference, acting as an oracle for which devices exist.
– Read switch output states – the on/off state of every switch output (siren, strobe, relay outputs) is exposed.
– Read the panel’s zone topology – how the alarm panel’s zones are configured.
– Trigger connection amplification – each unauthenticated GET forces an outbound `panel.async_connect()` call to the Konnected hardware.
The same URL that correctly rejects unauthenticated POST and PUT requests silently serves unauthenticated GET requests, leaking alarm-panel state and device topology to anyone who can reach Home Assistant’s HTTP port (8123 by default). This vulnerability is structurally identical to previously filed CVEs in the same threat-model boundary (CVE-2026-34205 and CVE-2023-50715), where unauthenticated LAN clients can access sensitive information.
Confirmed end-to-end against ghcr.io/home-assistant/home-assistant:2026.5.2. The POST/PUT methods return `401 Unauthorized` without a Bearer token, proving the integration does have an auth check—but only on write methods. The GET method returns `200 OK` with the live state of the siren, strobe, and relay outputs, with no Authorization header required. A deliberately wrong Authorization header produces the same response, confirming the header is never consulted on GET.
The affected code resides in `homeassistant/components/konnected/__init__.py`:
- Lines 296–301: view registration with
requires_auth = False. - Lines 313–335: `update_sensor()` with proper Bearer-token check.
- Lines 385–438: `get()` handler with no authentication, and line 397 firing `panel.async_connect()` before any rate-limit or auth logic.
The four-state response oracle enables brute-force device ID enumeration (2^24 space, trivially scannable) and zone topology mapping. A sustained 10-rps scan can cause a connection storm against the Konnected hardware, potentially interfering with legitimate push delivery.
DailyCVE Form
| Field | Value |
|-|-|
| Platform | Home Assistant |
| Version | 2026.5.2 |
| Vulnerability | Unauthenticated GET leak |
| Severity | Critical |
| Date | 2026-05-18 |
| Prediction | 2026-06-01 |
What Undercode Say
Analytics:
- Affected component: `homeassistant/components/konnected/__init__.py`
– Attack vector: Local network (LAN), port 8123 - Authentication bypass: GET method omits token check
- Information leaked: Switch states, zone topology, device IDs
- Amplification: N GETs → N outbound `panel.async_connect()` calls
- No audit trail: GET requests not logged at INFO level
Bash Commands & Codes:
Check if the Konnected integration is loaded
docker exec ha-container grep "Setting up konnected" /config/home-assistant.log
Enumerate device IDs (brute-force oracle)
for id in {000000000000..ffffffffffff}; do
curl -s -o /dev/null -w "%{http_code}" "http://127.0.0.1:8123/api/konnected/device/$id?zone=5"
done
Read siren state (unauthenticated)
curl -s "http://127.0.0.1:8123/api/konnected/device/aabbccdd1122?zone=5"
Output: {"zone":"5","state":1}
Read strobe state
curl -s "http://127.0.0.1:8123/api/konnected/device/aabbccdd1122?zone=6"
Read relay output state
curl -s "http://127.0.0.1:8123/api/konnected/device/aabbccdd1122?zone=7"
Map all zones (1-12) for a known device
for zone in {1..12}; do
curl -s "http://127.0.0.1:8123/api/konnected/device/aabbccdd1122?zone=$zone"
done
Trigger connection amplification (10 GETs → 10 async_connect() calls)
for i in {1..10}; do
curl -s -o /dev/null "http://127.0.0.1:8123/api/konnected/device/aabbccdd1122?zone=5"
done
Confirm Authorization header is ignored
curl -s -H "Authorization: Bearer wrong-token" "http://127.0.0.1:8123/api/konnected/device/aabbccdd1122?zone=5"
Still returns 200 with state
Exploit
An unauthenticated attacker on the same LAN can:
- Enumerate device IDs by sweeping the 24-bit MAC-derived space, using the 404 message distinction (
"Device <id> not configured"vs."Switch on zone or pin <n> not configured") to identify active devices. - Read live alarm states by probing zones 1–12 for each discovered device, obtaining the real-time on/off status of siren, strobe, and relay outputs.
- Map panel topology by correlating zone responses with manufacturer documentation to identify which zones are sensors vs. switches and their physical functions.
- Amplify connections by sending a high rate of GET requests, forcing the Home Assistant server to repeatedly call `panel.async_connect()` toward the Konnected hardware, potentially causing denial-of-service or spurious notification storms.
- Operate undetected – the GET handler logs nothing at INFO level, leaving no trace in `home-assistant.log` unless DEBUG is enabled.
Protection
- Upgrade to Home Assistant Core 2026.6.0 or later – the Konnected integration was completely removed in this version, eliminating the vulnerability.
- Migrate to the EspHome integration – as suggested in the existing repair issue for the Konnected integration, this provides a secure alternative.
- Network segmentation – restrict access to port 8123 to trusted subnets only; do not expose Home Assistant to untrusted LAN segments (e.g., guest Wi-Fi, shared networks).
- Firewall rules – block inbound connections to port 8123 from untrusted IP ranges.
- Disable the Konnected integration – if you are not actively using it, remove or disable the integration to close the attack surface.
Impact
- Alarm-system reconnaissance – an attacker can determine if the siren is firing (state:1) or silent (state:0), indicating whether a burglary is in progress and whether the operator is distracted or away. The same applies to strobes and armed-disable relays.
- Topology disclosure – mapping zones reveals which physical control points to bypass, enabling targeted physical intrusion.
- Device ID brute force – the 24-bit MAC-derived space is trivially scannable from any LAN host with no rate limit, allowing attackers to discover all Konnected devices on the network.
- Outbound connection amplification – a sustained scan can flood the Konnected hardware with connection attempts, potentially interfering with legitimate push updates and causing spurious connect/disconnect cycles visible to the operator.
- No audit trail – the lack of logging at INFO level means attackers can probe the endpoint extensively without leaving any record in the standard logs.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
