FKIE_CVE-2026-27981

Vulnerability from fkie_nvd - Published: 2026-03-03 23:15 - Updated: 2026-03-05 17:56
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr (TCP connection address). These headers were read unconditionally. An attacker connecting directly to Homebox could forge any value in X-Real-IP, effectively getting a fresh rate limit identity per request. There is a TrustProxy option in the configuration (Options.TrustProxy, default false), but this option was never read by any middleware or rate limiter code. Additionally, chi's middleware.RealIP was applied unconditionally in main.go, overwriting r.RemoteAddr with the forged header value before it reaches any handler. This vulnerability is fixed in 0.24.0.
References
security-advisories@github.comhttps://github.com/sysadminsmedia/homebox/security/advisories/GHSA-j86g-v96v-jpp3Vendor Advisory
Impacted products
Vendor Product Version
sysadminsmedia homebox *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sysadminsmedia:homebox:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "879C18E6-91D3-4BF1-AEDC-49E1A0D6354D",
              "versionEndExcluding": "0.24.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr (TCP connection address). These headers were read unconditionally. An attacker connecting directly to Homebox could forge any value in X-Real-IP, effectively getting a fresh rate limit identity per request. There is a TrustProxy option in the configuration (Options.TrustProxy, default false), but this option was never read by any middleware or rate limiter code. Additionally, chi\u0027s middleware.RealIP was applied unconditionally in main.go, overwriting r.RemoteAddr with the forged header value before it reaches any handler. This vulnerability is fixed in 0.24.0."
    },
    {
      "lang": "es",
      "value": "HomeBox es un sistema de inventario y organizaci\u00f3n del hogar. Antes de 0.24.0, el limitador de tasa de autenticaci\u00f3n (authRateLimiter) rastrea los intentos fallidos por IP de cliente. Determina la IP del cliente leyendo: 1. el encabezado X-Real-IP, 2. la primera entrada del encabezado X-Forwarded-For, y 3. r.RemoteAddr (direcci\u00f3n de conexi\u00f3n TCP). Estos encabezados se le\u00edan incondicionalmente. Un atacante conect\u00e1ndose directamente a Homebox podr\u00eda falsificar cualquier valor en X-Real-IP, obteniendo efectivamente una nueva identidad de l\u00edmite de tasa por solicitud. Existe una opci\u00f3n TrustProxy en la configuraci\u00f3n (Options.TrustProxy, por defecto falso), pero esta opci\u00f3n nunca fue le\u00edda por ning\u00fan middleware o c\u00f3digo del limitador de tasa. Adem\u00e1s, el middleware.RealIP de chi se aplicaba incondicionalmente en main.go, sobrescribiendo r.RemoteAddr con el valor del encabezado falsificado antes de que llegara a cualquier gestor. Esta vulnerabilidad est\u00e1 corregida en 0.24.0."
    }
  ],
  "id": "CVE-2026-27981",
  "lastModified": "2026-03-05T17:56:43.943",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-03T23:15:56.387",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-j86g-v96v-jpp3"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-307"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.