HomeBox API Flaw Bypasses Access Controls
The National Vulnerability Database has detailed CVE-2026-40196, a high-severity (CVSS 8.1) vulnerability in HomeBox, a home inventory and organization system. Versions prior to 0.25.0 are affected. The flaw stems from an issue where a user’s defaultGroup ID persists after their access to a group is revoked, even though the web interface correctly enforces the revocation.
While the web interface prevents unauthorized viewing or modification, the API does not. An attacker can exploit this by omitting the X-Tenant header when making API calls. This allows full Create, Read, Update, and Delete (CRUD) operations on the group’s collections, completely bypassing intended access controls. This is a critical logic flaw, effectively turning a revoked user into an admin via the API.
This isn’t just a theoretical bypass; it’s a fundamental breakdown of access control at the API layer. The fix, available in version 0.25.0, addresses this by correctly validating the defaultGroup ID and X-Tenant header. Defenders must recognize that UI-level access controls are often insufficient if the underlying APIs are not equally secured.
What This Means For You
- If your organization or personal setup uses HomeBox, you are exposed. Check your HomeBox instance immediately and ensure it is updated to version 0.25.0 or later. This isn't a vulnerability you can just monitor; it's a direct bypass that gives an attacker full control over your inventory data via the API if they were ever a member of a group. Patch now.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
HomeBox API Unauthorized Access via Default Group - CVE-2026-40196
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40196 | Auth Bypass | HomeBox versions prior to 0.25.0 |
| CVE-2026-40196 | Auth Bypass | HomeBox API access control bypass via defaultGroup ID and omitted X-Tenant header |
| CVE-2026-40196 | Auth Bypass | HomeBox API allows CRUD operations on collections after group access revocation |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 18, 2026 at 00:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
Critical Thymeleaf Vulnerability Bypasses Injection Protections
CVE-2026-40478 — Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the...
Critical Thymeleaf Vulnerability Bypasses Injection Protections
CVE-2026-40477 — Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the...
wger Fitness Manager: Auth Bypass Grants Global Config Control
CVE-2026-40474 — wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin...