Login Sign Up

CVE-2026-32112

6.8 MEDIUM
Cross-Site Scripting

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in ha-mcp's OAuth consent form that allows attackers to execute JavaScript in the server operator's browser. It affects users running the beta OAuth mode (ha-mcp-oauth) with explicit configuration. Attackers must convince operators to follow crafted authorization URLs to exploit this vulnerability.

💻 Affected Systems

Products:
  • ha-mcp (Home Assistant MCP Server)
Versions: All versions prior to 7.0.0
Operating Systems: All platforms running ha-mcp
Default Config Vulnerable: ✅ No
Notes: Only affects users who explicitly enabled the beta OAuth mode (ha-mcp-oauth), which is not part of standard setup.

📦 What is this software?

Home Assistant Mcp Server by Homeassistant Ai

View all CVEs affecting Home Assistant Mcp Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full control of the operator's browser session, potentially leading to account takeover, data theft, or further system compromise through social engineering.

🟠

Likely Case

Attacker executes limited JavaScript to steal session cookies or perform actions as the authenticated operator within the Home Assistant environment.

🟢

If Mitigated

No impact if beta OAuth mode is disabled or proper input sanitization is implemented.

🌐 Internet-Facing: MEDIUM - Requires attacker to reach OAuth endpoint and social engineering, but XSS can lead to significant compromise.
🏢 Internal Only: LOW - Requires specific beta configuration and social engineering within the network.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires social engineering to trick operator into clicking malicious link and beta OAuth mode enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.0

Vendor Advisory: https://github.com/homeassistant-ai/ha-mcp/security/advisories/GHSA-pf93-j98v-25pv

Restart Required: Yes

Instructions:

1. Update ha-mcp to version 7.0.0 or later using your package manager. 2. Restart the ha-mcp service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable Beta OAuth Mode

all

Disable the vulnerable ha-mcp-oauth beta feature if not required.

Edit ha-mcp configuration to remove or disable OAuth beta mode settings

🧯 If You Can't Patch

  • Disable the ha-mcp-oauth beta feature immediately
  • Implement network segmentation to restrict access to OAuth endpoints

🔍 How to Verify

Check if Vulnerable:

Check if ha-mcp version is below 7.0.0 AND ha-mcp-oauth beta mode is enabled in configuration.

Check Version:

ha-mcp --version or check package manager for installed version

Verify Fix Applied:

Confirm ha-mcp version is 7.0.0 or higher and check that HTML escaping is implemented in OAuth consent forms.

📡 Detection & Monitoring

Log Indicators:

  • Unusual OAuth authorization requests with suspicious parameters
  • JavaScript execution attempts in OAuth logs

Network Indicators:

  • HTTP requests to OAuth endpoints with encoded script tags or JavaScript in parameters

SIEM Query:

source="ha-mcp" AND (event="oauth_authorization" AND (param CONTAINS "<script>" OR param CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2026-32112
CVSS v3 Score: 6.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-79
Published: March 11, 2026
Last Updated: March 17, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-32112, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)