Home Assistant installations on Linux are vulnerable to unauthenticated access to internal management endpoints, potentially allowing local network attackers to compromise the home automation system.

On Linux, Home Assistant apps configured with "host network mode" fail to isolate unauthenticated endpoints bound to the internal Docker bridge. This allows any device on the same local network to access these administrative interfaces without any authentication.

Unauthorized access to Home Assistant can lead to the control of physical smart home devices, access to private camera feeds, and the theft of sensitive configuration data. The CVSS score of 9.6 reflects the high risk of unauthenticated access and the potential for complete system takeover by an attacker on the local network.

Immediate Action: Update Home Assistant Supervisor to version 2026.03.02 or later immediately.

Proactive Monitoring: Inspect local network traffic for unauthorized connections to Home Assistant's internal management ports (typically 8123 or other Docker-assigned ports).

Compensating Controls: Implement network segmentation (VLANs) to isolate the Home Assistant server from untrusted local devices until the update is applied.

Public Exploit Available: false

The update to Supervisor 2026.03.02 is critical for maintaining the privacy and security of the Home Assistant environment. Users should prioritize this update and review their network configuration to ensure that management interfaces are not exposed to untrusted segments of their local network.