GHSA-q855-8rh5-jfgq: ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path
Summary
In Home Assistant add-on mode (v7.6.0 and earlier), certain settings routes were accessible at the root port (`:9583`) without authentication (no secret, CSRF token, or origin check), allowing anyone on the local network to read or modify tool configurations, feature flags, backups, restart the add-on, and manage approval policies if enabled. The MCP endpoint itself remained protected, and there was no access to Home Assistant data or credentials.
Solution / Mitigation
Fixed in PR homeassistant-ai/ha-mcp#1508: root-mounted add-on routes are now restricted to Home Assistant ingress (requests from the Supervisor at `172.30.32.2`), with all other callers receiving a `403` (forbidden) response. Direct and remote access continue to use the protected settings UI under the MCP secret path. The fix ships in the next stable add-on release and is available now in the dev channel (add-on dev build `7.6.0.dev393` or later).
Classification
Affected Packages
Original source: https://github.com/advisories/GHSA-q855-8rh5-jfgq
First tracked: July 7, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%