PatchSiren cyber security CVE debrief

CVE-2026-44698 home-assistant CVE debrief

## Summary Home Assistant Companion apps for Android (prior to 2026.4.4) and iOS (prior to 2026.4.1) contain a cross-origin JavaScript bridge exposure vulnerability. The apps expose native bridge objects (`window.externalApp` on Android; `webkit.messageHandlers.getExternalAuth`, `revokeExternalAuth`, and `externalBus` on iOS) to all frames within the in-app WebView, including cross-origin iframes. Combined with unsanitized interpolation of JavaScript callback identifiers, this allows a malicious cross-origin iframe to execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin and exfiltrate the authenticated user's access token. ## Technical Details The vulnerability stems from two architectural flaws in the Companion apps' WebView implementations: 1. **Overly Permissive Bridge Exposure**: The JavaScript-to-native bridge is exposed to all frames within the WebView rather than being restricted to same-origin content. This allows cross-origin iframes embedded in the Home Assistant UI to access the bridge objects. 2. **Unsanitized Callback Identifier Interpolation**: The bridge implementation performs string interpolation of JavaScript callback identifiers without proper sanitization. A malicious iframe can inject arbitrary JavaScript through this interpolation channel, which then executes in the context of the main frame (the Home Assistant frontend origin). Successful exploitation enables an attacker to: - Execute arbitrary JavaScript in the Home Assistant frontend security context - Access and exfiltrate the signed-in user's access token - Potentially perform actions on behalf of the compromised user The attack vector requires user interaction (rendering a malicious iframe) and network access, with the vulnerability present in both platform implementations though with version-specific fix timelines. ## Affected Versions | Platform | Affected Versions | Fixed Version | |----------|-------------------|---------------| | iOS | Prior to 2026.4.1 | 2026.4.1 | | Android | Prior to 2026.4.4 | 2026.4.4 | ## CVSS Assessment **CVSS 3.1 Score**: 8.3 (HIGH) **Vector**: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H The HIGH severity reflects: