Disclosure: Supervisor security vulnerability

I have to ask / confirm,

“A fix for this security issue has been rolled out to all affected Home Assistant users via the Supervisor auto-update system and this issue is no longer present.”

Home assistant can automatically be updated remotely by the team?? It seems I already have the patch but don’t remember updating supervisor within the last month. I thought all updates are user opt-in? Thanks to the teams quick action on this exploit, but I’m not overly keen to have a system that automatically updates without the owners knowledge.

1 Like

You can verify that you received the update on the Home Assistant About page and verify that you are running Supervisor 2023.03.1 or later. If you do not see a Supervisor version on your About page, you do not use one of the affected installation types and have not been vulnerable.

The issue has also been mitigated in Home Assistant 2023.3.0. This version was released on March 1 and has since been installed by 33% of our users.

1 Like

It was clearly answered to you in the first words. What is not clear about that? :man_shrugging:

It means that all communication is 1-to-1, as it is end-to-end encrypted. There is nothing done with communication from the internet to your instance. As it is end-to-end encrypted, meaning nothing can be seen, read, filtered, or modified along the way.

If you run Home Assistant OS or Home Assistant Supervised, you have been affected by the vulnerability disclosed in this announcement.



The Supervisor is set to update itself automatically unless turned off


ah I did not know this, where is this setting?..

Have a look at this post, its done via the cli. But note the couple of caveats with disabling it listed in the same post.

Feature request: block supervisor auto-updates - Feature Requests - Home Assistant Community (home-assistant.io)

1 Like

Question about the event itself in HA. I have a dashboard for software updates and events, is there an entity for this “Security Disclosure”, so that I can have a conditial card to show it when a next event occurs?

OK… So if you’re using the Hass OS, seems you can only disable supervisor automatic updates via CLI, Enabling terminal session (Supervisor > Add-on store > Terminal & SSH)

I have not tested it yet… Thanks @aidbish

1 Like

Was it possible to access/retrieve configuration information such as keys and tokens from our configuration through this API vulnerability? Should we change these?


Some questions :

“manage add-ons and backups”. Were the attackers able to download backups?

Were the attackers able to affect my supervisor if they knew my NabuCasa URL?
Is there any way to check if these SuperVisor API calls were made to my instance?

1 Like

Can you please provide some additional information regarding this vulnerability, as neither the associated GitHub nor the Mitre CVE pages seem to have the details of the potential attack vector, which are necessary to perform forensic analysis on whether one’s instance has been exploited?

I think this would also help to dispel confusion seen in this thread.


Looking at the API reference, seems like they would be able to download a full backup if they had access.

I’ve changed my DuckDNS token, took 1 minute (login to DuckDNS, click on the ||| symbol next to name, recreate token, copy token to DuckDNS config on HA and restart it).

This disclosure is really lacking enough details to allow non-technical users to understand the scope of the vulnerability.

Based on my understanding, the supervisor API not accessible through the standard HA core ingress.

This seems confirmed here: Supervisor External API Access - #2 by CentralCommand

If the above is the case, I’d reword the statement to avoid spreading panic throughout the community as it is a serious one, with the supervisor API giving an attacker opportunities to compromise the entire HA instance and credentials to everything it was integrated with and if so, I (and pretty much everyone here) would like to know so that we can act.

Answer to HAS THIS VULNERABILITY BEEN ABUSED? is ridiculous, please provide more details to allow users to determine if they could have been compromised - even if it’s just a hint to review logs of ingress controllers for access to a specific path like /api/supervisor or something…


I am using Nabu Casa. Still affected by this?

Quick question: Shouldn’t the warning message automatically disappear after the update? I have now made the update 2023.03.1, but the repair/warning message still appears. Even after a reboot of the host. :thinking:

Home Assistant 2023.3.1
Supervisor 2023.03.1
Operating System 9.5

So we should uninstall wireguard and reinstall because if backups are on the lose so would wireguard config/clients files?

Agreed. See my comment above. The referenced CVE number on the Mitre site is showing as reserved and as of writing of this message, doesn’t yet contain the necessary details.

1 Like

Only if you click “Ignore” in the lower left corner of the pop-up window.

OK thanks. In fact, this should happen automatically. :slightly_smiling_face:

To be fair, the rapid fix and transparent, public disclosure for this defect is exactly why I use Home Assistant and am far more comfortable exposing it to the internet than I would be about pretty much any other internet-connected device that I have in my infrastructure.

All software has defects, some of those defects will impact security, and a few will be serious. I don’t judge software by whether or not it has defects, but by how those defects are handled when they are found.

Thanks guys, 10/10 here.