CVE-2021-47942: Home Assistant Community Store (HACS) Path Traversal Vulnerability

Home Assistant Community Store (HACS) version 1.10.0 contains a path traversal vulnerability, identified as CVE-2021-47942, which enables unauthenticated attackers to read arbitrary sensitive files on the system. The vulnerability resides in the /hacsfiles/ endpoint, which lacks proper input validation, allowing directory traversal. Successful exploitation grants attackers access to sensitive files such as .storage/auth, which contains user credentials and refresh tokens. This allows attackers to craft valid JWT tokens and gain administrative access to Home Assistant instances, potentially compromising the entire smart home ecosystem managed by the affected instance. The vulnerability was reported in May 2026.

Attack Chain

1. An unauthenticated attacker sends a crafted HTTP request to the /hacsfiles/ endpoint with a path traversal sequence in the URL.
2. The vulnerable application fails to properly sanitize the input, allowing the attacker to traverse the file system.
3. The attacker targets the .storage/auth file, which contains sensitive user credentials and refresh tokens.
4. The application reads and returns the contents of the targeted file to the attacker.
5. The attacker extracts user credentials and refresh tokens from the obtained .storage/auth file.
6. The attacker uses the extracted information to craft valid JWT tokens.
7. The attacker authenticates to the Home Assistant instance using the crafted JWT tokens.
8. The attacker gains administrative access to the Home Assistant instance, allowing full control over connected devices and configurations.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to gain administrative control over Home Assistant instances. This can lead to unauthorized access to and manipulation of connected smart home devices, exposure of sensitive user data, and potential disruption of home automation systems. The impact ranges from privacy violations and service disruption to complete compromise of the affected smart home environment. Given the widespread use of Home Assistant, a successful attack could affect a significant number of users.

Recommendation

• Deploy the Sigma rule Detect HACS Path Traversal Attempt to detect requests with path traversal sequences targeting the /hacsfiles/ endpoint.
• Apply input validation and sanitization to the /hacsfiles/ endpoint to prevent directory traversal attacks, addressing CVE-2021-47942.
• Monitor web server logs for suspicious activity related to the /hacsfiles/ endpoint, as logged by the “webserver” category.
• Upgrade to a patched version of Home Assistant Community Store (HACS) that addresses the path traversal vulnerability.