{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/hacs/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2021-47942"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Home Assistant Community Store (HACS) 1.10.0"],"_cs_severities":["high"],"_cs_tags":["path-traversal","account-takeover","hacs","cve-2021-47942"],"_cs_type":"threat","_cs_vendors":["home-assistant"],"content_html":"\u003cp\u003eHome Assistant Community Store (HACS) version 1.10.0 contains a path traversal vulnerability, identified as CVE-2021-47942, which enables unauthenticated attackers to read arbitrary sensitive files on the system. The vulnerability resides in the \u003ccode\u003e/hacsfiles/\u003c/code\u003e endpoint, which lacks proper input validation, allowing directory traversal. Successful exploitation grants attackers access to sensitive files such as \u003ccode\u003e.storage/auth\u003c/code\u003e, which contains user credentials and refresh tokens. This allows attackers to craft valid JWT tokens and gain administrative access to Home Assistant instances, potentially compromising the entire smart home ecosystem managed by the affected instance. The vulnerability was reported in May 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP request to the \u003ccode\u003e/hacsfiles/\u003c/code\u003e endpoint with a path traversal sequence in the URL.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application fails to properly sanitize the input, allowing the attacker to traverse the file system.\u003c/li\u003e\n\u003cli\u003eThe attacker targets the \u003ccode\u003e.storage/auth\u003c/code\u003e file, which contains sensitive user credentials and refresh tokens.\u003c/li\u003e\n\u003cli\u003eThe application reads and returns the contents of the targeted file to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts user credentials and refresh tokens from the obtained \u003ccode\u003e.storage/auth\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted information to craft valid JWT tokens.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Home Assistant instance using the crafted JWT tokens.\u003c/li\u003e\n\u003cli\u003eThe attacker gains administrative access to the Home Assistant instance, allowing full control over connected devices and configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to gain administrative control over Home Assistant instances. This can lead to unauthorized access to and manipulation of connected smart home devices, exposure of sensitive user data, and potential disruption of home automation systems. The impact ranges from privacy violations and service disruption to complete compromise of the affected smart home environment. Given the widespread use of Home Assistant, a successful attack could affect a significant number of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect HACS Path Traversal Attempt\u003c/code\u003e to detect requests with path traversal sequences targeting the \u003ccode\u003e/hacsfiles/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003e/hacsfiles/\u003c/code\u003e endpoint to prevent directory traversal attacks, addressing CVE-2021-47942.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the \u003ccode\u003e/hacsfiles/\u003c/code\u003e endpoint, as logged by the \u0026ldquo;webserver\u0026rdquo; category.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Home Assistant Community Store (HACS) that addresses the path traversal vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-16T16:19:57Z","date_published":"2026-05-16T16:19:57Z","id":"https://feed.craftedsignal.io/briefs/2026-05-hacs-path-traversal/","summary":"Home Assistant Community Store (HACS) 1.10.0 is vulnerable to a path traversal, allowing unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint, leading to potential account takeover.","title":"CVE-2021-47942: Home Assistant Community Store (HACS) Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-hacs-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Hacs","version":"https://jsonfeed.org/version/1.1"}