Disclosure: Supervisor security vulnerability

why wouldn’t you just generate a new config that gives you a new endpoint hash? Or does the wireguard add-on not work that way? I don’t use it; I have wireguard running off my router.

1 Like

Add a reverse proxy in front and do it :slight_smile: (Maybe the android app project would accept such an contribution).

1 Like

They have handled this awesomely. Look at other bigger companies who hide things for days or weeks before releasing anything.

And I am very happy that they’ve taken the fix first, provide more info later approach. This is how we deal with Production outages where I work; there will be plenty of time for assessments and documenting


I read somewhere that an unprotected PC connected to the Internet will be probed within about 8 seconds… :roll_eyes:

Edit: Found it - very old, though:


I would suggest to add a very clear and easy to digest statement onto the blogpost like:

„There is nothing that you need to do other than to ensure you‘re on the latest update“

Many less experienced users might be unsure about what to do and now start changing Passwords, API tokens, DYNDNS addresses…

The Android app does support client certificates, if you’re experiencing issues feel free to open an issue on GitHub.

(Reverse proxies as suggested later in the thread are tricky for various reasons, they don’t really work well for the app because of the various APIs and not always being in a browser.)


I was surprised to see a supervisor update. As usual with supervisor i quickly installed as most of the times is bugfixes.

I did a quick search in a famous search engine and was surprised to see so many HA instances being served directly, some even on the default port, exposing an outdated HA versions.

  • Is this the first critical CVE for HA since existence, or are older ones just not documented in github?


This is exactly what i would advise anyone to do if there has been a security breach! …with the exception of the DYNDNS addresses.

1 Like

That was kinda what I meant. Hopefully that’s possible :slight_smile:

There was also this one though I don’t know if it made it to CVE status.

Just took a look at the configuration for wireguard and it is not at all like how my router works. But I think if you went in and changed the name of your peer connection a new configuration would be created. You’d then have to re-configure it on the device side too.

Ok i see, but then the other way around, it could be a good idea to also state this. Without any clear statement many might be unsure of what to do now

1 Like

That was an external issue (custom integrations), which we mitigated. If there is a CVE, it doesn’t belong to HA.


Shout it be blocked at the revere proxy level then? I will probably give it a try this evening.

What are you talking about ?, supervisor updates comes on regular intervals, AND more usual do to enhancements/new features … and what is it for “search” “being served directly” you refers to ?

And didn’t your famous engine provide you with an answer to this ?

Having a “Hidden” profile and postulate like you do, serves no relevant nor respectful purpose, and deserves NO answers

1 Like

Dont forget to clear all Refresh Tokens for each user. This is not easily done, btw.

1 Like

What’s hard about going to your profile and deleting them?

It has to be done by every person on every device they use? :wink:

1 Like

why? were we instructed to do so?

In case these tokens are part of the backup then it is reasonable to expect they might have leaked.