CVE-2026-44698 Overview
CVE-2026-44698 affects the Home Assistant Companion apps for Android and iOS. The apps expose a JavaScript bridge to the in-app WebView through window.externalApp on Android and webkit.messageHandlers.getExternalAuth, revokeExternalAuth, and externalBus on iOS. Two flaws expose this bridge to all frames, including cross-origin iframes, and the callback identifier undergoes unsanitized interpolation. A cross-origin iframe rendered inside the Companion app can execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin and exfiltrate the signed-in user's access token. The issue is fixed in version 2026.4.1 for iOS and 2026.4.4 for Android.
Critical Impact
A malicious cross-origin iframe loaded inside the Companion app can execute arbitrary JavaScript in the Home Assistant frontend origin and steal the user's access token.
Affected Products
- Home Assistant Companion for iOS prior to 2026.4.1
- Home Assistant Companion for Android prior to 2026.4.4
- Home Assistant frontend rendered inside the Companion app WebView
Discovery Timeline
- 2026-05-29 - CVE-2026-44698 published to NVD
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-44698
Vulnerability Analysis
The Home Assistant Companion apps inject a native-to-web JavaScript bridge into the in-app WebView. On Android, the bridge surfaces as window.externalApp. On iOS, the bridge exposes webkit.messageHandlers.getExternalAuth, revokeExternalAuth, and externalBus. This bridge brokers privileged operations such as retrieving the signed-in user's access token. The vulnerability is classified as code injection under [CWE-94].
Root Cause
Two defects combine to produce the flaw. First, the bridge is not scoped to the main frame and is reachable from every frame loaded in the WebView, including cross-origin iframes. Second, the JavaScript callback identifier passed through the bridge is interpolated into generated JavaScript without sanitization. An attacker who controls the iframe content controls the callback string and breaks out of the intended expression context.
Attack Vector
The attacker must lure or trick the Home Assistant frontend into rendering a cross-origin iframe under attacker control. From inside that iframe, the attacker invokes the exposed bridge with a crafted callback identifier. The native layer evaluates the injected payload in the Home Assistant frontend's main-frame origin. The payload can then call getExternalAuth to retrieve the access token and exfiltrate it to an external host. Exploitation requires user interaction and is rated network-attackable with high attack complexity.
No verified public exploit code is available. Technical details are described in the GitHub Security Advisory.
Detection Methods for CVE-2026-44698
Indicators of Compromise
- Outbound HTTP requests from mobile devices carrying Home Assistant long-lived access tokens to domains unrelated to the user's instance.
- Unexpected cross-origin iframes rendered inside the Home Assistant frontend referencing untrusted third-party origins.
- Anomalous use of access tokens from IP addresses or user agents that do not match the registered Companion app session.
Detection Strategies
- Inspect Home Assistant access logs for API calls authenticated with a valid token but originating from unfamiliar source addresses.
- Audit custom dashboards, Lovelace cards, and integrations that embed external content via iframe for untrusted URLs.
- Monitor mobile network telemetry for Companion app sessions that initiate token-bearing requests to non-Home Assistant endpoints.
Monitoring Recommendations
- Enable Home Assistant authentication and token usage logging and forward events to a centralized log platform.
- Alert on creation of new long-lived access tokens shortly after a user opens an unknown dashboard view.
- Track Companion app version distribution across the user base and flag clients still on pre-patch builds.
How to Mitigate CVE-2026-44698
Immediate Actions Required
- Update the Home Assistant Companion app to 2026.4.1 on iOS and 2026.4.4 on Android on every device.
- Revoke existing long-lived access tokens and force re-authentication for users who may have opened untrusted dashboards.
- Remove or replace any Lovelace cards, panels, or integrations that load iframes from untrusted third-party origins.
Patch Information
The vendor fixed the issue in Home Assistant Companion 2026.4.1 for iOS and 2026.4.4 for Android. Refer to the GitHub Security Advisory GHSA-7jp2-p2fw-mgvf for the full vendor write-up and fixed release notes.
Workarounds
- Avoid using the Companion app to view dashboards that embed cross-origin iframes until the app is updated.
- Restrict access to the Home Assistant frontend so that only trusted users can add custom content that could embed external iframes.
- Use a per-user access policy and short-lived tokens where possible to limit the impact of token theft.
# Verify installed Companion app version on Android via ADB
adb shell dumpsys package io.homeassistant.companion.android | grep versionName
# Revoke a compromised long-lived access token via the Home Assistant API
curl -X POST "https://<your-ha-host>/auth/revoke" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "token=<ACCESS_TOKEN>&action=revoke"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
