PatchSiren cyber security CVE debrief
CVE-2021-47942 Exploit Db CVE debrief
CVE-2021-47942 describes a path traversal issue in Home Assistant Community Store (HACS) 1.10.0 that allows unauthenticated attackers to read files through the /hacsfiles/ endpoint. The supplied record says the .storage/auth file may be exposed, including user credentials and refresh tokens, which can then be used to create valid JWTs and gain administrative access to Home Assistant instances. NVD’s record classifies the weakness as CWE-22 and lists a network-reachable, no-auth, no-user-interaction attack path.
- Vendor
- Exploit Db
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-16
- Original CVE updated
- 2026-05-16
- Advisory published
- 2026-05-16
- Advisory updated
- 2026-05-16
Who should care
Home Assistant operators using HACS, especially those exposing Home Assistant or HACS endpoints to untrusted networks. Security teams should prioritize any environment where .storage/auth or other sensitive Home Assistant files could be reachable through web paths.
Technical summary
The supplied sources describe a directory traversal flaw in the /hacsfiles/ endpoint of HACS 1.10.0. NVD maps the issue to CWE-22 and shows an attack vector with no privileges and no user interaction. Per the supplied description, successful traversal can let an attacker read sensitive local files, including .storage/auth, potentially exposing credentials and refresh tokens. That exposure may support token forgery and administrative compromise of Home Assistant. The corpus does not include a verified fixed version, so remediation should be based on upstream guidance and validation in your environment.
Defensive priority
High. This is an unauthenticated remote file-read issue with potential account takeover impact, so exposed Home Assistant deployments should be assessed quickly.
Recommended defensive actions
- Confirm whether HACS 1.10.0 is installed and whether Home Assistant is reachable from untrusted networks.
- Restrict or block external access to Home Assistant and the /hacsfiles/ endpoint until the issue is addressed.
- Upgrade HACS to a version that resolves the traversal issue, following upstream guidance.
- If exposure is suspected, rotate Home Assistant credentials and invalidate or regenerate any affected tokens.
- Review access logs and filesystem integrity for requests targeting /hacsfiles/ and attempts to reach sensitive paths such as .storage/auth.
- Validate that only expected files are served through web-facing paths and that directory traversal protections are in place.
Evidence notes
The debrief is based on the supplied CVE description and NVD metadata. Supporting evidence includes the NVD classification of CWE-22, the network/no-auth attack characteristics embedded in the supplied CVSS vector, and references to the HACS GitHub repository, a Home Assistant official site link, an Exploit-DB entry, and a VulnCheck advisory title indicating path traversal and account takeover. No fixed version, exploit validation, or additional impact details were added beyond the supplied corpus.
Official resources
NVD’s record in the supplied corpus is dated 2026-05-16, and that timeline is used here only as publication context. The vendor field in the supplied item is low-confidence and marked for review, so conclusions are limited to the provided N