Primary

Context

HomeBox Default Group ID Access Control Vulnerability Allowing Unauthorized API CRUD Operations

Vulnerability

A vulnerability in HomeBox versions prior to 0.25.0 allows users to retain access to a default group ID after being removed from a group's access. While the web interface properly enforced this revocation, the API did not. This discrepancy enabled users to perform full create, read, update, and delete operations on the group's collections via the API, bypassing intended access controls. The issue arises because the default group ID, which was not properly validated when the X-Tenant header was omitted, remained active for users even after access was revoked.

Impact

Users could exploit this vulnerability to access and modify group collections through the API, despite having their access revoked via the web interface.

Remediation

Users can upgrade to HomeBox version 0.25.0 or later to address this vulnerability.

Added: Apr 17, 2026, 9:37 PM

Updated: Apr 17, 2026, 9:37 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

4.8

remediation

0.0

relevance

6.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

4.8

remediation

0.0

relevance

6.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HomeBox Default Group ID Access Control Vulnerability Allowing Unauthorized API CRUD Operations

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating