Philips Hue Bridge HomeKit Authentication Bypass (CVE-2026-3558) Demonstrated at Pwn2Own
A critical authentication bypass vulnerability in the Philips Hue Bridge, CVE-2026-3558, was disclosed after being demonstrated at Pwn2Own, allowing network-adjacent attackers to bypass security controls without authentication.
A critical authentication bypass vulnerability in the Philips Hue Bridge has been publicly disclosed, carrying a CVSS score of 8.1 and posing a significant risk to smart home networks. The flaw, tracked as CVE-2026-3558, was demonstrated at the Pwn2Own hacking competition and affects the HomeKit Accessory Protocol service running on TCP port 8080. Network-adjacent attackers can exploit the vulnerability without any authentication, effectively bypassing security controls on the device.
The specific weakness lies in the configuration of the HomeKit Accessory Protocol service, which fails to require authentication before granting access to sensitive functionality. This means an attacker within Wi-Fi range of a vulnerable Hue Bridge can interact with the service as if they were an authorized user. The vulnerability was reported to Philips on November 18, 2025, by researchers Ho Xuan Ninh (@Xuanninh1412) and Hoang Hai Long (@seadragnol) from Qrious Secure (@qriousec), and was publicly released on March 6, 2026.
Philips has addressed the issue in Bridge v2 software version 1975170000. Users are strongly advised to update their Hue Bridge firmware immediately through the Philips Hue app or by visiting the official release notes. The update patches the authentication bypass and closes the attack vector exploited at Pwn2Own.
The impact of this vulnerability extends beyond the Hue Bridge itself. Because the bridge often serves as a hub for other smart home devices, an attacker who gains unauthorized access could potentially manipulate lights, sensors, and other connected equipment. More critically, the bridge sits on the local network, meaning a successful compromise could serve as a foothold for lateral movement into other devices on the home or enterprise network.
This disclosure highlights the growing security scrutiny on Internet of Things (IoT) devices, particularly those that bridge local networks with cloud services. The HomeKit Accessory Protocol is designed to provide secure pairing and communication, but misconfigurations in its implementation can undermine those protections. The Pwn2Own demonstration underscores that even consumer-grade smart home devices can harbor vulnerabilities with serious implications for network security.
Philips has not reported any active exploitation of CVE-2026-3558 in the wild, but the public availability of the advisory and the high-profile nature of the Pwn2Own demonstration increase the likelihood of attackers attempting to reverse-engineer the flaw. Users who have not yet applied the firmware update remain at risk. The advisory from Zero Day Initiative (ZDI-26-156) provides full technical details for defenders to assess their exposure.