CVE-2026-33044 Overview
CVE-2026-33044 is a Cross-Site Scripting (XSS) vulnerability affecting Home Assistant, the popular open source home automation software that emphasizes local control and privacy. This vulnerability allows an authenticated attacker to inject malicious scripts through device entity names, which are then executed when viewed on dashboards containing Map-card components.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in victim browsers by crafting malicious device entity names, potentially leading to session hijacking, credential theft, or unauthorized control of smart home devices.
Affected Products
- Home Assistant versions 2020.02 through 2026.01 (prior to patch)
- Home Assistant Core with Map-card dashboard components
- Any deployment with shared dashboard access between users
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-33044 published to NVD
- 2026-03-31 - Last updated in NVD database
Technical Details for CVE-2026-33044
Vulnerability Analysis
This stored Cross-Site Scripting vulnerability exists within Home Assistant's Map-card component rendering logic. The vulnerability stems from improper sanitization of device entity names when they are displayed on dashboard Map-cards. An authenticated user with the ability to create or modify device entities can inject malicious JavaScript payloads into the entity name field.
The attack requires user interaction—specifically, the victim must hover over an information point on a Map-card that includes the malicious entity. When triggered, the injected script executes within the victim's browser session context, inheriting their authentication privileges and access to the Home Assistant instance.
Given that Home Assistant manages smart home devices including security systems, locks, cameras, and environmental controls, successful exploitation could have significant real-world consequences beyond typical XSS impacts.
Root Cause
The root cause is inadequate input validation and output encoding in the Map-card component (CWE-79). Entity names are stored without sufficient sanitization and rendered without proper HTML encoding, allowing script tags and JavaScript event handlers to be interpreted as executable code rather than display text.
Attack Vector
The attack follows a stored XSS pattern with network-based delivery. An authenticated attacker first creates or modifies a device entity, inserting a malicious script payload into the entity name field. This payload is stored in the Home Assistant database. When any user with dashboard access views a Map-card containing the compromised entity and hovers over the relevant information point, the malicious script executes in their browser context.
The attack requires low privilege levels (authenticated user) and active user participation (hovering over the element), but can affect any user with visibility into the affected dashboard, including administrators. The potential for privilege escalation makes this particularly concerning in multi-user Home Assistant deployments.
Detection Methods for CVE-2026-33044
Indicators of Compromise
- Entity names containing HTML tags, especially <script>, <img>, <svg>, or event handlers like onerror, onload, onmouseover
- Unusual JavaScript execution or network requests originating from the Home Assistant dashboard
- Unexpected modifications to entity names, particularly those containing encoded characters or obfuscated scripts
- Browser console errors or security warnings when viewing Map-card dashboards
Detection Strategies
- Review entity name fields in the Home Assistant database for suspicious HTML or JavaScript content
- Monitor Home Assistant access logs for unusual entity modification patterns
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Use browser developer tools to inspect Map-card rendering for unexpected script elements
Monitoring Recommendations
- Enable verbose logging for entity modifications and dashboard access events
- Configure network monitoring to detect anomalous outbound connections from client browsers during dashboard viewing
- Set up alerts for entity names containing special characters or HTML-like syntax
- Regularly audit user permissions and entity ownership in multi-user deployments
How to Mitigate CVE-2026-33044
Immediate Actions Required
- Upgrade to Home Assistant version 2026.01 or later immediately
- Audit all existing entity names for potentially malicious content
- Review and restrict user permissions for entity creation and modification
- Temporarily disable Map-card components on shared dashboards until patching is complete
Patch Information
Home Assistant version 2026.01 addresses this vulnerability by implementing proper input sanitization and output encoding for entity names when rendered in Map-card components. Users should update their installations through the standard Home Assistant update process. For detailed patch information, refer to the GitHub Security Advisory GHSA-r584-6283-p7xc.
Workarounds
- Remove or hide Map-card components from dashboards until the patch can be applied
- Implement strict access controls to limit who can create or modify device entities
- Use a reverse proxy to add Content Security Policy headers that block inline script execution
- Regularly audit entity names and sanitize any suspicious entries manually
# Check current Home Assistant version
ha core info
# Update Home Assistant to patched version
ha core update --version 2026.01
# Review entity names for suspicious content (requires database access)
sqlite3 /config/home-assistant_v2.db "SELECT entity_id, name FROM states_meta WHERE name LIKE '%<%' OR name LIKE '%script%';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
