CVE-2026-40602 Overview
CVE-2026-40602 is a code injection vulnerability in the Home Assistant Command-line interface (hass-cli), a command-line tool for Home Assistant. In versions up to 1.0.0 of home-assistant-cli, an unrestricted environment was used to handle Jinja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions, giving users access to Python's internals and extending the scope of templating beyond its intended usage.
Critical Impact
This vulnerability allows attackers with local access to inject malicious Jinja2 templates that execute arbitrary Python code, potentially leading to unauthorized access to sensitive data or system compromise.
Affected Products
- Home Assistant CLI (hass-cli) versions prior to 1.0.0
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-40602 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40602
Vulnerability Analysis
This vulnerability falls under CWE-94 (Improper Control of Generation of Code), commonly known as code injection. The core issue stems from the use of an unrestricted Jinja2 template rendering environment in the Home Assistant CLI. Jinja2 is a powerful templating engine for Python that, when used without proper sandboxing, can expose the full Python runtime to template authors.
In a properly secured application, Jinja2 templates should be rendered within a sandboxed environment that restricts access to potentially dangerous Python built-ins, modules, and object attributes. The Home Assistant CLI failed to implement these restrictions, allowing template authors to access Python's internal mechanisms such as __class__, __mro__, __subclasses__(), and other introspection capabilities.
This unrestricted access enables attackers to traverse Python's object hierarchy to reach dangerous classes like os, subprocess, or builtins, ultimately achieving arbitrary code execution on the local system.
Root Cause
The root cause of this vulnerability is the failure to use a sandboxed Jinja2 environment when rendering user-supplied templates. The Home Assistant CLI used the standard jinja2.Environment instead of the safer jinja2.sandbox.SandboxedEnvironment, which restricts access to unsafe attributes and methods. Without sandboxing, any user input processed through the template engine could leverage Python's introspection capabilities to escape the template context and execute arbitrary code.
Attack Vector
The attack requires local access to the system running Home Assistant CLI and elevated privileges. An attacker must craft a malicious Jinja2 template that exploits Python's introspection capabilities. The template is then processed by the CLI without restrictions, allowing the attacker to access Python internals.
A typical Server-Side Template Injection (SSTI) attack against unsandboxed Jinja2 involves traversing the Method Resolution Order (MRO) to locate dangerous classes. Attackers can navigate from a basic object like an empty string to the base object class, then enumerate all subclasses to find modules that provide system access such as file operations or command execution. For detailed technical information about this vulnerability, see the GitHub Security Advisory GHSA-33qf-q99x-wpm8.
Detection Methods for CVE-2026-40602
Indicators of Compromise
- Unusual Jinja2 template syntax in CLI inputs containing Python dunder methods like __class__, __mro__, or __subclasses__
- Log entries showing unexpected template rendering errors or Python exceptions related to introspection
- Evidence of unauthorized file access or command execution traced back to CLI operations
Detection Strategies
- Implement input validation to detect and block template syntax containing Python introspection patterns
- Monitor CLI usage for anomalous template inputs, particularly those containing double-underscore attributes
- Review application logs for template rendering exceptions that may indicate exploitation attempts
Monitoring Recommendations
- Enable verbose logging for the Home Assistant CLI to capture template processing activity
- Set up alerts for patterns matching Jinja2 SSTI payloads such as {{.*__class__.*}} or similar constructs
- Monitor file system and process activity on systems running vulnerable versions of hass-cli
How to Mitigate CVE-2026-40602
Immediate Actions Required
- Upgrade Home Assistant CLI to version 1.0.0 or later immediately
- Audit any systems running vulnerable versions for signs of compromise
- Review CLI usage logs for suspicious template injection patterns
- Restrict local access to systems running the Home Assistant CLI
Patch Information
The vulnerability has been fixed in version 1.0.0 of the Home Assistant CLI. The fix implements a sandboxed Jinja2 environment that restricts access to Python internals and limits template capabilities to intended functionality. For details on the fix, refer to GitHub Pull Request #453.
Workarounds
- If immediate upgrade is not possible, restrict access to the Home Assistant CLI to trusted users only
- Implement network segmentation to limit the potential impact of exploitation
- Consider temporarily disabling features that process user-supplied Jinja2 templates until the upgrade can be completed
# Upgrade Home Assistant CLI to patched version
pip install --upgrade home-assistant-cli>=1.0.0
# Verify installed version
hass-cli --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
