Cve-2026-31431

nickcmaynard · May 1, 2026, 9:32pm

Folks, not sure where to raise this, but it’s creating some fairly sizeable waves.

Essentially, root privs escalation from any user script. This means a rogue addon, script, etc. could conceivably harvest all creds stored in HA OS.

It feels like HA OS should be applying the mitigation as a matter of some urgency.

What’s the right place to find updates on this?

Markus99 · May 1, 2026, 9:54pm

github.com/home-assistant/operating-system

CVE‑2026‑31431

opened 10:05AM - 01 May 26 UTC

lxrkz

### Describe the issue you are experiencing Why is nobody writing about CVE‑202…6‑31431? What if someone downloads an "update" for any kind of plugin, with a dirty payload? Or is it already patched without notice? ### What operating system image do you use? generic-x86-64 (Generic UEFI capable x86-64 systems) ### What version of Home Assistant Operating System is installed? 17.2 ### Did the problem occur after upgrading the Operating System? No ### Hardware details . ### Steps to reproduce the issue 1. 2. 3. ... ### Anything in the Supervisor logs that might be useful for us? ```txt . ``` ### Anything in the Host logs that might be useful for us? ```txt . ``` ### System information _No response_ ### Additional information _No response_

Sounds like it’s been patched (which is good news) just hasn’t made it to a new version as of yet (not so good news).

Hoping they push it sooner-vs-later given the amount of 3rd party code people typically run on HA.