CVE-2021-47942
Description
Home Assistant Community Store (HACS) 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, then craft valid JWT tokens to gain administrative access to Home Assistant instances.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Path traversal in HACS 1.10.0 allows unauthenticated attackers to read sensitive files and craft JWT tokens for admin access to Home Assistant.
Vulnerability
Overview
Home Assistant Community Store (HACS) versions prior to 1.10.0 contain a path traversal vulnerability in the /hacsfiles/ endpoint. The endpoint fails to properly sanitize user-supplied paths, allowing an attacker to traverse directories using ../ sequences. This enables retrieval of arbitrary files from the Home Assistant filesystem, including the .storage/auth file which stores user credentials and refresh tokens [2][3].
Exploitation
An unauthenticated attacker can send a crafted GET request to http://<target>:<port>/hacsfiles/../../.storage/auth to download the authentication database. The response contains JSON data with user IDs, refresh tokens, and JWT signing keys. Using these tokens, the attacker can forge valid JWT tokens by encoding the issuer claim with the stolen jwt_key and algorithm HS256 [2]. The exploit requires no authentication and can be executed remotely over the network.
Impact
Successful exploitation grants the attacker administrative access to the Home Assistant instance. With a forged JWT token, the attacker can impersonate the owner user, gaining full control over all connected smart home devices, automations, and integrations. This effectively compromises the entire home automation system [3].
Mitigation
The vulnerability is fixed in HACS version 1.10.0. Users should upgrade to this version or later immediately. No workarounds are available for earlier versions [4]. The issue has been publicly documented with proof-of-concept exploit code, increasing the risk of active exploitation [2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: = 1.10.0
- Range: = 1.10.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
50- TanStack weighs invitation-only pull requests after supply chain attackThe Register Security · May 18, 2026
- SHub Reaper | macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack ChainSentinelOne Labs · May 18, 2026
- Breaking the Black Box: A Case Study in Red-Teaming a Government Education AISentinelOne Labs · May 18, 2026
- Product showcase: McAfee + ChatGPT integration turns doubt into a scam checkHelp Net Security · May 18, 2026
- Week in review: Cisco patches SD-WAN 0-day, unpatched Microsoft Exchange Server flaw exploitedHelp Net Security · May 17, 2026
- Bypassing On-Camera Age-Verification ChecksSchneier on Security · May 15, 2026
- TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS UpdatesThe Hacker News · May 15, 2026
- OpenAI asks macOS users to update after TanStack npm supply chain attackThe Record · May 14, 2026
- OpenAI confirms security breach in TanStack supply chain attackBleepingComputer · May 14, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026
- Bug hunter tracks down three massive MCP flaws and one vendor won't fix theirsThe Register Security · May 13, 2026
- The Convergence of Cloud Secrets & AI RiskSentinelOne Labs · May 13, 2026
- 200,000 WordPress Sites at Risk from Critical Authentication Bypass Vulnerability in Burst Statistics PluginWordfence Blog · May 13, 2026
- Thus Spoke…The GentlemenCheck Point Research · May 13, 2026
- Windows 11 KB5089549 & KB5087420 cumulative updates releasedBleepingComputer · May 12, 2026
- SAP unveils Autonomous Enterprise for AI-driven business operationsHelp Net Security · May 12, 2026
- Mini Shai-Hulud Hits TanStack npm PackagesInfosecurity Magazine · May 12, 2026
- When "idle" isn't idle: how a Linux kernel optimization became a QUIC bugCloudflare Blog · May 12, 2026
- JetBrains TeamCity vulnerability allows privilege escalation, API exposure (CVE-2026-44413)Help Net Security · May 12, 2026
- Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply ChainDark Reading · May 12, 2026
- Why Agentic AI Is Security's Next Blind SpotThe Hacker News · May 12, 2026
- TanStack, Mistral AI, UiPath Hit in Fresh Supply Chain AttackSecurityWeek · May 12, 2026
- State-sponsored actors, better known as the friends you don’t wantCisco Talos Intelligence · May 12, 2026
- HEIDI: Free IDE security plugin for open-source vulnerability checksHelp Net Security · May 12, 2026
- Official CheckMarx Jenkins package compromised with infostealerBleepingComputer · May 11, 2026
- Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and ToolsUnit 42 · May 11, 2026
- Google: Hackers used AI to develop zero-day exploit for web admin toolBleepingComputer · May 11, 2026
- Google researchers uncover criminal zero-day exploit likely built with AIHelp Net Security · May 11, 2026
- New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH CredentialsThe Hacker News · May 8, 2026
- Snyk integrates Claude to advance AI-native application securityHelp Net Security · May 8, 2026
- Avantra’s new AI can diagnose SAP failures in secondsHelp Net Security · May 8, 2026
- Canvas login portals hacked in mass ShinyHunters extortion campaignBleepingComputer · May 7, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026)Wordfence Blog · May 7, 2026
- Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State HackingSecurityWeek · May 7, 2026
- PAN-OS RCE Exploit Under Active Use Enabling Root Access and EspionageThe Hacker News · May 7, 2026
- 'TrustFall' Convention Exposes Claude Code Execution RiskDark Reading · May 7, 2026
- Researchers Spot Uptick in Use of Vercel for Phishing CampaignsInfosecurity Magazine · May 7, 2026
- Open-source MCP server monitoring for Python appsHelp Net Security · May 7, 2026
- Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code ExecutionUnit 42 · May 7, 2026
- Google Chrome’s silent 4GB AI download problem [updated]Malwarebytes Labs · May 6, 2026
- Why ransomware attacks succeed even when backups existBleepingComputer · May 6, 2026
- 8×8 updates CX platform with AI, analytics, and frontline management capabilitiesHelp Net Security · May 6, 2026
- Copy Fail: What You Need to Know About the Most Severe Linux Threat in YearsUnit 42 · May 5, 2026
- ServiceNow clears agents for landing with new AI control towerThe Register Security · May 5, 2026
- Vimeo data breach exposes personal information of 119,000 peopleBleepingComputer · May 5, 2026
- ShinyHunters claims dump puts 119K Vimeo emails in the wildThe Register Security · May 5, 2026
- The Back Door Attackers Know About — and Most Security Teams Still Haven’t ClosedThe Hacker News · May 5, 2026
- Penske Logistics launches platform for real-time supply chain visibilityHelp Net Security · May 4, 2026
- Security for AI: A strategic framework for closing the AI exposure gapTenable Blog · May 4, 2026
- Blend Autopilot MCP brings AI agent orchestration to lending platformsHelp Net Security · May 4, 2026