CVE-2026-32111 Overview
CVE-2026-32111 is a Server-Side Request Forgery (SSRF) vulnerability in ha-mcp, a Home Assistant MCP Server. Prior to version 7.0.0, the ha-mcp OAuth consent form (beta feature) accepts a user-supplied ha_url parameter and makes a server-side HTTP request to {ha_url}/api/config with no URL validation. An unauthenticated attacker can submit arbitrary URLs to perform internal network reconnaissance via an error oracle. Two additional code paths in OAuth tool calls (REST and WebSocket) are also affected by the same primitive.
Critical Impact
Unauthenticated attackers can exploit this SSRF vulnerability to probe internal network infrastructure and gather sensitive information about backend services through error-based responses.
Affected Products
- ha-mcp versions prior to 7.0.0
- Deployments using the OAuth consent form beta feature
- OAuth tool call paths utilizing REST and WebSocket connections
Discovery Timeline
- 2026-03-11 - CVE CVE-2026-32111 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32111
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The flaw exists in the OAuth consent form's handling of the ha_url parameter, which is used to construct server-side HTTP requests without proper validation. When a request is made to the OAuth endpoint, the application directly incorporates the user-supplied URL into an HTTP request targeting {ha_url}/api/config.
The lack of URL validation allows attackers to specify arbitrary internal or external URLs, effectively turning the ha-mcp server into a proxy for unauthorized network requests. The error oracle mechanism means that differences in error responses can reveal information about the reachability and state of internal services.
Importantly, the primary deployment method using a private URL with pre-configured HOMEASSISTANT_TOKEN is not affected by this vulnerability. The issue specifically impacts installations utilizing the beta OAuth consent form feature.
Root Cause
The root cause is improper input validation on the ha_url parameter in the OAuth consent form handler. The application fails to implement URL allowlisting, scheme validation, or private IP address filtering before making server-side HTTP requests. This allows user-controlled input to directly influence the destination of backend HTTP requests, enabling SSRF attacks.
Attack Vector
The attack is network-based and can be executed by unauthenticated remote attackers. The exploitation flow involves submitting a crafted ha_url parameter to the OAuth consent form endpoint. The attacker can specify internal IP addresses or hostnames to probe the internal network topology. By analyzing different error responses, the attacker can determine which internal hosts are reachable, identify open ports, and potentially discover internal services.
The vulnerability is present in three code paths: the OAuth consent form, REST-based OAuth tool calls, and WebSocket-based OAuth tool calls. All three paths share the same lack of URL validation, making them susceptible to the same SSRF primitive.
Detection Methods for CVE-2026-32111
Indicators of Compromise
- Unusual outbound HTTP requests from the ha-mcp server to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- High volume of requests to the OAuth consent form endpoint with varying ha_url parameters
- Error logs showing connection attempts to unexpected internal hosts or cloud metadata endpoints (e.g., 169.254.169.254)
Detection Strategies
- Monitor application logs for OAuth consent form requests containing suspicious ha_url values pointing to internal networks
- Implement network-level detection for unexpected outbound connections from the ha-mcp server to internal infrastructure
- Deploy web application firewall rules to flag requests containing internal IP addresses in the ha_url parameter
- Alert on repeated failed connection attempts originating from the ha-mcp server to various internal endpoints
Monitoring Recommendations
- Enable verbose logging on the ha-mcp OAuth endpoints to capture all incoming ha_url parameter values
- Configure network monitoring to track outbound connections from ha-mcp containers or processes
- Implement anomaly detection for unusual patterns in OAuth form submissions
- Review access logs for enumeration-style requests targeting the affected endpoints
How to Mitigate CVE-2026-32111
Immediate Actions Required
- Upgrade ha-mcp to version 7.0.0 or later immediately
- If upgrade is not immediately possible, disable the OAuth consent form beta feature
- Review network access controls to restrict outbound connections from the ha-mcp server
- Audit logs for evidence of exploitation attempts
Patch Information
This vulnerability is fixed in ha-mcp version 7.0.0. The fix implements proper URL validation to prevent SSRF attacks through the OAuth consent form and related OAuth tool call paths. Users should upgrade to 7.0.0 or later to fully remediate this vulnerability. For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Disable the beta OAuth consent form feature if not required for your deployment
- Use the primary deployment method with a private URL and pre-configured HOMEASSISTANT_TOKEN, which is not affected
- Implement network segmentation to limit the ha-mcp server's ability to reach internal services
- Deploy a reverse proxy with URL filtering to block requests containing internal IP addresses in the ha_url parameter
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
