Home Assistant Companion Apps Cross-Origin JavaScript Injection Vulnerability Allowing Access Token Exfiltration

A vulnerability in the Home Assistant Companion apps for Android and iOS prior to the latest versions exposes a JavaScript bridge to the in-app WebView. This bridge is available to all frames, including cross-origin iframes. The issue arises from unsanitized interpolation of the JavaScript callback identifier, allowing a cross-origin iframe to execute arbitrary JavaScript in the main frame's origin and exfiltrate the signed-in user's access token. This access token is a bearer token for the Home Assistant REST API, granting full access for its lifetime.

Impact

Exploitation of this vulnerability leads to unauthorized access to the Home Assistant access token, allowing full REST API access as the signed-in user. This includes control over devices, automations, and scripts, as well as read access to all entity states. Additionally, the vulnerability allows for an unauthenticated denial-of-service by revoking the user's refresh token and forcing re-onboarding.

Reproduction

To reproduce this vulnerability, a user must have the Home Assistant Companion app installed on either Android or iOS and be signed into a Home Assistant server. The user should add a Webpage card to a dashboard, pointing to a third-party URL that can execute malicious JavaScript. When the dashboard is opened in the Companion app, the cross-origin iframe can access the JavaScript bridge and exfiltrate the access token.

Remediation

Users can update to Home Assistant Companion for Android version 2026.4.4 or iOS version 2026.4.1. If an immediate update is not possible, remove Webpage cards from dashboards and avoid embedding third-party URLs that could be malicious.