CVE-2023-41894— Local-only webhooks externally accessible via SniTun in Home Assistant Core
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-41894
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Local-only webhooks externally accessible via SniTun in Home Assistant Core
Source: NVD (National Vulnerability Database)
Vulnerability Description
Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the `*.ui.nabu.casa` URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在范围间的资源转移不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
Home Assistant 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Home Assistant是一套开源的家庭自动化管理系统。该系统主要用于控制家庭自动化设备。 Home assistant 2023.9.0之前版本存在安全漏洞,该漏洞源于组件webhook存在安全漏洞,允许攻击者通过SniTun从外部访问本地的webhook。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| home-assistant | core | < 2023.9.0 | - |
II. Public POCs for CVE-2023-41894
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-41894
请登录查看更多情报信息。
Same Patch Batch · home-assistant · 2023-10-19 · 8 CVEs total
| CVE-2023-41897 | 8.8 HIGH | Lack of XFO header allows clickjacking in Home Assistant Core |
| CVE-2023-41895 | 8.8 HIGH | Cross-site Scripting via auth_callback login in Home Assistant Core |
| CVE-2023-44385 | 8.6 HIGH | Client-Side Request Forgery in Home Assistant iOS/macOS native Apps |
| CVE-2023-41898 | 8.6 HIGH | Arbitrary URL load in Android WebView in `MyActivity.kt` in Home Assistant Companion for |
| CVE-2023-41896 | 7.1 HIGH | Fake websocket server installation permits full takeover in Home Assistant Core |
| CVE-2023-41899 | 6.6 MEDIUM | Partial Server-Side Request Forgery in Home Assistant Core |
| CVE-2023-41893 | 4.3 MEDIUM | Account takeover via auth_callback login in Home Assistant Core |
IV. Related Vulnerabilities
Same product: core
- CVE-2026-42278
UltraDAG: Smart Account Spending Policy Bypass via Pockets - CVE-2026-40583
UltraDAG: SmartOp Vote Path Triggers Fatal Supply Invariant - CVE-2026-34578
OPNsense has an LDAP Injection via Unsanitized Username in A - CVE-2026-34762
Ella Core Has Audit Log Falsification via Path/Body IMSI Mis - CVE-2026-34761
Ella Core Panics Upon NGAP handover failure
Same vendor: home-assistant
- CVE-2026-34205
Home Assistant: Unauthenticated App (Add-on) Endpoints Expos - CVE-2026-33045
Home Assistant has stored XSS in history-graphs - CVE-2026-33044
Home Assistant has stored XSS in Map-card through malicious - CVE-2025-62172
Home Assistant vulnerable to Stored XSS in Energy dashboard - CVE-2025-25305
SSL validation for outgoing requests in Home Assistant Core
V. Comments for CVE-2023-41894
No comments yet