CVE-2026-32112 Overview
CVE-2026-32112 is a Cross-Site Scripting (XSS) vulnerability affecting ha-mcp, a Home Assistant MCP Server. Prior to version 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute JavaScript in the operator's browser.
Critical Impact
This vulnerability allows attackers to execute arbitrary JavaScript in an authenticated user's browser session, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of the Home Assistant operator.
Affected Products
- ha-mcp versions prior to 7.0.0
- ha-mcp-oauth beta OAuth mode (requires explicit configuration)
Discovery Timeline
- 2026-03-11 - CVE-2026-32112 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32112
Vulnerability Analysis
This vulnerability stems from improper output encoding in the OAuth consent form rendering process. The ha-mcp OAuth implementation uses Python f-strings to dynamically construct HTML content that includes user-controlled parameters from the authorization URL. Because these parameters are not properly HTML-escaped before being embedded in the response, malicious JavaScript code can be injected and executed in the context of the victim's browser session.
The attack requires user interaction—specifically, the server operator must follow a crafted authorization URL. While this limits the attack surface, successful exploitation could grant an attacker significant control over the Home Assistant environment, including the ability to manipulate smart home devices, access sensitive configuration data, or pivot to other connected systems.
It's important to note that this vulnerability only affects users running the beta OAuth mode (ha-mcp-oauth), which is not part of the standard setup and requires explicit configuration by the operator.
Root Cause
The root cause is the use of Python f-strings for HTML template rendering without proper output encoding. When user-supplied input from OAuth authorization parameters (such as redirect_uri, client_id, or state) is directly interpolated into HTML output, the browser interprets any embedded script tags or event handlers as legitimate code. This is a classic case of CWE-79: Improper Neutralization of Input During Web Page Generation.
Attack Vector
The attack is network-based and requires user interaction. An attacker must craft a malicious authorization URL containing JavaScript payloads in one or more OAuth parameters. When the server operator clicks on or is redirected to this URL, the OAuth consent form renders the malicious input without sanitization, causing the embedded JavaScript to execute in the operator's authenticated browser session.
The attacker could deliver the malicious URL through various social engineering techniques such as phishing emails, forum posts, or malicious links disguised as legitimate Home Assistant resources.
Detection Methods for CVE-2026-32112
Indicators of Compromise
- Unusual OAuth authorization requests containing HTML tags or JavaScript event handlers in URL parameters
- Suspicious redirect_uri, client_id, or state parameters containing encoded script content (e.g., %3Cscript%3E)
- Web server logs showing authorization URLs with abnormally long or encoded parameter values
- Reports of unexpected browser behavior when accessing the ha-mcp OAuth consent form
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing potential XSS payloads in OAuth parameters
- Monitor web server access logs for authorization requests with suspicious URL-encoded characters or script-like patterns
- Deploy browser-based security controls that detect and prevent inline script execution
- Enable Content Security Policy (CSP) headers to restrict script execution sources
Monitoring Recommendations
- Review ha-mcp access logs for OAuth endpoint requests with unusual parameter lengths or encoded special characters
- Set up alerts for failed or anomalous OAuth authorization flows
- Monitor for any JavaScript errors or unexpected script execution in browser developer tools when using the OAuth consent form
How to Mitigate CVE-2026-32112
Immediate Actions Required
- Upgrade ha-mcp to version 7.0.0 or later immediately
- If upgrade is not immediately possible, disable the beta OAuth mode (ha-mcp-oauth) until patching is complete
- Review access logs for any signs of exploitation attempts
- Educate operators about the risks of clicking on untrusted authorization URLs
Patch Information
The vulnerability is fixed in ha-mcp version 7.0.0. Users should update their installations to this version or later to remediate the vulnerability. Detailed information about the fix is available in the GitHub Security Advisory.
Workarounds
- Disable the beta OAuth mode (ha-mcp-oauth) if it is not required for operations
- Implement a reverse proxy with XSS filtering capabilities in front of the ha-mcp service
- Configure Content Security Policy (CSP) headers to prevent inline script execution
- Restrict network access to the OAuth endpoint to trusted IP addresses only
# Disable OAuth mode in ha-mcp configuration
# Edit your ha-mcp configuration file and ensure OAuth is disabled
# Example: In your configuration, set oauth_enabled to false
oauth_enabled: false
# Alternatively, restrict access via firewall rules
# Allow only trusted IPs to access the OAuth endpoint
iptables -A INPUT -p tcp --dport 8123 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8123 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
