Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Companion app (iOS)

Source -

CNA

CNA CVEs -

1

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
1Vulnerabilities found
CVE-2026-44698
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.3||HIGH
EPSS-Not Assigned
Published-29 May, 2026 | 13:32
Updated-29 May, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Home Assistant: Cross-origin iframe access token exfiltration via WebView JS bridge callback injection

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and webkit.messageHandlers.getExternalAuth (alongside revokeExternalAuth and externalBus) on iOS. Two flaws expose the bridge to all frames (including cross-origin iframes) and unsanitized interpolation of the JavaScript callback identifier allows a cross-origin iframe rendered inside the Companion app to execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin and exfiltrate the signed-in user's access token. This vulnerability is fixed in 2026.4.1 for iOS and 2026.4.4 for Android.

Action-Not Available
Vendor-home-assistantHome Assistant
Product-Companion app (Android)coreCompanion app (iOS)
CWE ID-CWE-346
Origin Validation Error
CWE ID-CWE-749
Exposed Dangerous Method or Function
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-940
Improper Verification of Source of a Communication Channel