CVE-2026-33045 Overview
Home Assistant is open source home automation software that puts local control and privacy first. A cross-site scripting (XSS) vulnerability has been identified in the "remaining charge time" sensor for mobile phones, which appears to be imported/included from Android Auto. This vulnerability affects Home Assistant versions starting from 2025.02 and prior to 2026.01. The flaw is similar to CVE-2025-62172 and allows attackers to inject malicious scripts through the affected sensor component.
Critical Impact
Attackers can execute arbitrary JavaScript code in the context of authenticated Home Assistant users, potentially leading to session hijacking, unauthorized smart home device control, or theft of sensitive home automation data.
Affected Products
- Home Assistant versions 2025.02 through versions prior to 2026.01
- Home Assistant Core with Android Auto integration enabled
- Smart home deployments utilizing the "remaining charge time" mobile phone sensor
Discovery Timeline
- 2026-03-27 - CVE-2026-33045 published to NVD
- 2026-03-31 - Last updated in NVD database
Technical Details for CVE-2026-33045
Vulnerability Analysis
This cross-site scripting (XSS) vulnerability exists in the "remaining charge time" sensor component of Home Assistant. The sensor, which appears to be imported from Android Auto integration, fails to properly sanitize user-controlled input before rendering it in the web interface. This allows attackers to inject malicious JavaScript code that executes in the browser context of authenticated Home Assistant users.
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). When exploited, an attacker with low privileges can potentially escalate their access by hijacking administrative sessions, manipulating smart home devices, or exfiltrating sensitive configuration data from the Home Assistant instance.
This vulnerability shares similar characteristics with CVE-2025-62172, suggesting a pattern of input validation issues within sensor data handling in Home Assistant's mobile device integration components.
Root Cause
The root cause of this vulnerability is improper input sanitization in the "remaining charge time" sensor data handling. When data from the Android Auto integration is processed and displayed in the Home Assistant user interface, special characters and HTML/JavaScript content are not properly escaped or neutralized. This allows attacker-controlled input to be interpreted as executable code rather than plain text, resulting in a stored or reflected XSS condition.
Attack Vector
The attack leverages the network-accessible nature of Home Assistant instances. An authenticated attacker with low privileges can inject malicious payloads through the mobile phone sensor data path. When other users (including administrators) view the affected sensor data in their dashboard, the injected JavaScript executes in their browser session.
The attack requires user interaction as victims must navigate to or view the affected component. However, given that Home Assistant dashboards are commonly viewed by all household members, the likelihood of successful exploitation is elevated in typical deployment scenarios.
The vulnerability manifests when unsanitized sensor data from Android Auto is rendered in the Home Assistant web interface. Malicious JavaScript payloads embedded in the "remaining charge time" field execute when displayed, potentially capturing session tokens or triggering unauthorized actions. See the GitHub Security Advisory GHSA-46j8-vpx8-6p72 for additional technical details.
Detection Methods for CVE-2026-33045
Indicators of Compromise
- Unusual JavaScript content appearing in sensor data fields, particularly in mobile device or Android Auto related sensors
- Unexpected network requests originating from Home Assistant dashboard pages to external domains
- Browser console errors indicating script execution attempts from sensor data contexts
- Session token or credential exfiltration attempts visible in network traffic logs
Detection Strategies
- Monitor Home Assistant access logs for suspicious patterns in sensor data submissions
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Review browser developer console logs for unexpected script execution warnings when viewing dashboards
- Deploy web application firewall (WAF) rules to detect XSS payloads in sensor data traffic
Monitoring Recommendations
- Enable detailed logging for Android Auto integration and mobile device sensor updates
- Configure alerts for any sensor data containing HTML tags or JavaScript syntax patterns
- Monitor for unusual user session behavior that may indicate session hijacking post-exploitation
- Regularly audit sensor data sources and integration configurations for anomalies
How to Mitigate CVE-2026-33045
Immediate Actions Required
- Upgrade Home Assistant to version 2026.01 or later immediately
- Audit existing sensor data for any injected malicious content and remove suspicious entries
- Temporarily disable the Android Auto mobile phone sensor integration if immediate patching is not possible
- Review recent access logs for signs of exploitation attempts
Patch Information
Home Assistant has released version 2026.01 which addresses this vulnerability by implementing proper input sanitization for the "remaining charge time" sensor data. Users should upgrade to this version or later to remediate the issue. For additional details, refer to the GitHub Security Advisory GHSA-46j8-vpx8-6p72 and the related advisory GHSA-mq77-rv97-285m.
Workarounds
- Disable the Android Auto integration until the patch can be applied
- Restrict network access to Home Assistant to trusted internal networks only
- Implement Content Security Policy headers to mitigate XSS impact
- Limit user privileges to reduce potential attack surface from authenticated users
# Example: Restrict Home Assistant access at network level
# Add to firewall rules or reverse proxy configuration
# For UFW firewall - restrict access to local network only
sudo ufw allow from 192.168.1.0/24 to any port 8123
# Enable Content Security Policy in configuration.yaml
# Add to http: section
http:
use_x_frame_options: true
headers:
content_security_policy: "default-src 'self'; script-src 'self'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
