CVE-2026-40196

EPSS 0.03%
Veröffentlicht 17.04.2026 21:01:18
Zuletzt bearbeitet 17.04.2026 21:16:33
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the access revocation and prevented the user from viewing or modifying the group's contents, the API did not. Because the original group ID persisted as the user's defaultGroup, and this value was not properly validated when the X-Tenant header was omitted, the user could still perform full CRUD operations on the group's collections through the API, bypassing the intended access controls. This issue has been fixed in version 0.25.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellersysadminsmedia

≫

Produkt homebox

Version < 0.25.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.079

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-708 Incorrect Ownership Assignment

The product assigns an owner to a resource, but the owner is outside of the intended control sphere.

https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-6pvm-v73p-p6m9

https://github.com/sysadminsmedia/homebox/releases/tag/v0.25.0

https://nvd.nist.gov/vuln/detail/CVE-2026-40196

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40196

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40196

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-40196