CVE-2026-27796 Overview
CVE-2026-27796 is an information disclosure vulnerability affecting Homarr, an open-source dashboard application used for managing and displaying home server services. Prior to version 1.54.0, the integration.all tRPC endpoint is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations without authentication. This metadata includes sensitive information such as internal service URLs, integration names, and service types that could be leveraged by attackers to map internal infrastructure.
Critical Impact
Unauthenticated attackers can enumerate internal service configurations, URLs, and integration metadata, potentially facilitating further attacks against exposed internal services.
Affected Products
- Homarr versions prior to 1.54.0
- Self-hosted Homarr dashboard installations
- Homarr instances with network-accessible tRPC endpoints
Discovery Timeline
- 2026-03-07 - CVE-2026-27796 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-27796
Vulnerability Analysis
This vulnerability represents a classic broken access control issue where a sensitive API endpoint lacks proper authentication requirements. The integration.all tRPC endpoint was inadvertently configured as a publicProcedure rather than a protected procedure, exposing it to unauthenticated access.
When exploited, attackers can query this endpoint without any credentials and receive a full enumeration of all configured integrations within the Homarr instance. The leaked information includes internal service URLs (potentially revealing internal IP addresses and network topology), integration names, and the types of services being used. This information disclosure can serve as a reconnaissance vector for more sophisticated attacks against the underlying infrastructure.
Root Cause
The root cause of CVE-2026-27796 lies in the improper access control configuration within the tRPC router implementation. The integration.all endpoint was defined using publicProcedure instead of a protected procedure that requires authentication. This design flaw meant that the endpoint inherited no authentication middleware, allowing any network-accessible request to retrieve sensitive integration data.
The vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), highlighting a failure to implement proper authorization checks on sensitive data retrieval operations.
Attack Vector
The attack vector for this vulnerability is network-based and requires no authentication or user interaction. An attacker with network access to a vulnerable Homarr instance can directly query the integration.all tRPC endpoint via HTTP requests. The attack is straightforward to execute:
- The attacker identifies a Homarr instance accessible over the network
- The attacker sends a tRPC request to the integration.all endpoint
- The server responds with complete integration metadata including internal URLs and service configurations
- The attacker uses this information for further reconnaissance or targeted attacks
The vulnerability requires no special privileges, no complex exploitation techniques, and can be performed anonymously, making it particularly concerning for internet-exposed Homarr deployments.
Detection Methods for CVE-2026-27796
Indicators of Compromise
- Unusual or unexpected HTTP requests to tRPC endpoints from external IP addresses
- Access logs showing unauthenticated requests to /api/trpc/integration.all or similar tRPC routes
- Network traffic patterns indicating enumeration attempts against the Homarr API
- Failed authentication attempts or reconnaissance activity following information disclosure
Detection Strategies
- Monitor web server access logs for requests to tRPC integration endpoints from unauthorized sources
- Implement network-level monitoring for unusual traffic patterns to Homarr instances
- Deploy application-layer firewalls or WAF rules to detect and block unauthorized API enumeration attempts
- Review authentication logs for missing authentication tokens on sensitive endpoint access
Monitoring Recommendations
- Configure alerting for API requests to integration endpoints that lack valid authentication headers
- Establish baseline traffic patterns for Homarr instances and alert on deviations
- Monitor for reconnaissance activity that may follow successful information disclosure exploitation
- Enable detailed logging on tRPC endpoints to capture request metadata for forensic analysis
How to Mitigate CVE-2026-27796
Immediate Actions Required
- Upgrade Homarr to version 1.54.0 or later immediately
- Restrict network access to Homarr instances using firewall rules or reverse proxy authentication
- Review access logs for evidence of prior exploitation attempts
- Audit current integration configurations for any sensitive information that may have been exposed
Patch Information
The vulnerability has been patched in Homarr version 1.54.0. The fix modifies the integration.all endpoint to require proper authentication before returning integration data. Organizations should update to the patched version as soon as possible.
For detailed patch information, refer to the GitHub Commit Changes and the GitHub Security Advisory GHSA-m4vc-4prp-cvp7. The patched release is available at GitHub Release v1.54.0.
Workarounds
- Place Homarr behind a reverse proxy with authentication requirements (e.g., Authelia, Authentik)
- Restrict network access to Homarr to trusted internal networks only using firewall rules
- Implement IP allowlisting to limit access to known administrative hosts
- Consider disabling external access entirely until the patch can be applied
# Example: Restrict access to Homarr using iptables
# Allow only internal network access (adjust IP range as needed)
iptables -A INPUT -p tcp --dport 7575 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7575 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
