CVE-2026-27981
📋 TL;DR
This vulnerability allows attackers to bypass authentication rate limiting in HomeBox by forging IP headers, enabling brute-force attacks on login credentials. It affects all HomeBox instances prior to version 0.24.0 that are exposed to untrusted networks. The issue stems from improper trust of proxy headers even when TrustProxy is disabled.
💻 Affected Systems
- HomeBox
📦 What is this software?
Homebox by Sysadminsmedia
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover through unlimited brute-force attacks on authentication endpoints, leading to unauthorized access to sensitive home inventory data.
Likely Case
Successful brute-force attacks against weak passwords, resulting in unauthorized access to user accounts and their personal inventory data.
If Mitigated
Limited impact if strong passwords are enforced and additional authentication controls exist, though rate limiting bypass still weakens security posture.
🎯 Exploit Status
Exploitation requires direct access to HomeBox endpoints and involves simple header manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.24.0
Vendor Advisory: https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-j86g-v96v-jpp3
Restart Required: Yes
Instructions:
1. Stop HomeBox service. 2. Update to version 0.24.0 or later. 3. Restart HomeBox service. 4. Verify the fix by checking version and testing rate limiting.
🔧 Temporary Workarounds
Network-level rate limiting
allImplement rate limiting at reverse proxy or firewall level before requests reach HomeBox
Header stripping at proxy
allConfigure reverse proxy to strip X-Real-IP and X-Forwarded-For headers before forwarding to HomeBox
🧯 If You Can't Patch
- Place HomeBox behind a properly configured reverse proxy that strips untrusted headers and implements rate limiting
- Implement network segmentation to restrict access to HomeBox only from trusted sources
🔍 How to Verify
Check if Vulnerable:
Check HomeBox version - if below 0.24.0, it's vulnerable. Test by sending authentication requests with forged X-Real-IP headers and observing if rate limiting is bypassed.Check Version:
Check HomeBox web interface or application logs for version informationVerify Fix Applied:
After updating to 0.24.0+, test that forged X-Real-IP headers no longer bypass rate limiting and that failed authentication attempts are properly tracked per actual client IP.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from same IP with varying X-Real-IP headers
- Unusually high authentication failure rates
- Login attempts with forged proxy headers
Network Indicators:
- Rapid authentication attempts with changing IP headers
- Direct connections to HomeBox bypassing expected proxies
SIEM Query:
source="homebox" AND (event="authentication_failure" OR event="login_failed") | stats count by src_ip, x_real_ip | where count > threshold