Home Assistant Host Network Mode Vulnerability Exposing Unauthenticated Endpoints to Local Network

A vulnerability exists in Home Assistant apps configured with host network mode, allowing unauthenticated endpoints to be exposed to the local network via the internal Docker bridge interface. This issue affects Home Assistant Operating System versions through 17.1 and Home Assistant Supervisor versions through 2026.03.1. The vulnerability arises because, on Linux, host network mode shares the host's network namespace without proper firewall restrictions, enabling any device on the same network to access these endpoints without authentication.

Impact

Exploitation of this vulnerability bypasses authentication, granting full API access to unauthenticated network attackers. This access can be used to impersonate users or gain unauthorized control over Home Assistant apps, depending on the specific app's functionality.

Reproduction

To reproduce this vulnerability, first, ensure that a Home Assistant app is running in host network mode and is bound to the internal Docker bridge interface. Then, from a device on the same local network, identify the Home Assistant host IP. Add a host route for the Docker bridge IP via the Home Assistant host IP, making the internal bridge interface reachable. Finally, connect directly to the unauthenticated endpoint on the bridge interface, which will respond without requiring authentication.

Remediation

Users can update to Home Assistant Supervisor version 2026.03.2, which applies the necessary firewall rules to restrict access to the Docker bridge interface from the local network. A future release of Home Assistant Operating System is also planned to include this fix at the Docker engine level.