GHSA-33QF-Q99X-WPM8

Vulnerability from github – Published: 2026-04-16 21:28 – Updated: 2026-04-16 21:28
VLAI?
Summary
Home Assistant Command-line Interface: Handling of user-supplied Jinja2 templates
Details

Impact

Up to 1.0.0 of home-assitant-cli (or hass-cli for short) an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions. This gave users access to Python's internals and extended the scope of templating beyond the intended usage.

E. g., it was possible to render a template with hass-cli template bad-template.j2 --local that contained entries like

{%- set b   = environ.__globals__['__builtins__'] -%}
{%- set os  = b['__import__']('os') -%}
{%- set bio = b['__import__']('builtins') -%}
...

or other malicious Jinja2 expressions. This can lead to arbitrary code execution on the local machine.

In a two step process an adversary could trick/convince an user to download third-party templates which contain harmful code (e. g., perform data manipulation or establish a remote shell) then to render those templates unchecked/reviewed/verified with --local.

The issue only affect the local machine and not a remote Home Assistant instance. It also requires user interventions.

Patches

1.0.0 uses ImmutableSandboxedEnvironment and restricts the usage of environment variables.

Workarounds

Evaluate the Jninja2 templates manually or tool-based before rendering with hass-cli.

Severity ?
5.6 (Medium)
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "homeassistant-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:28:39Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nUp to 1.0.0 of `home-assitant-cli` (or `hass-cli` for short) an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions. This gave users access to Python\u0027s internals and extended the scope of templating beyond the intended usage.\n\nE. g., it was possible to render a template with `hass-cli template bad-template.j2 --local` that contained entries like\n\n````j2\n{%- set b   = environ.__globals__[\u0027__builtins__\u0027] -%}\n{%- set os  = b[\u0027__import__\u0027](\u0027os\u0027) -%}\n{%- set bio = b[\u0027__import__\u0027](\u0027builtins\u0027) -%}\n...\n````\n\nor other malicious Jinja2 expressions. This can lead to arbitrary code execution on the local machine.\n\nIn a two step process an adversary could trick/convince an user to download third-party templates which contain harmful code (e. g., perform data manipulation or establish a remote shell)  then to render those templates unchecked/reviewed/verified with `--local`. \n\nThe issue only affect the local machine and not a remote Home Assistant instance. It also requires user interventions.\n\n### Patches\n\n1.0.0 uses `ImmutableSandboxedEnvironment` and restricts the usage of environment variables.\n\n### Workarounds\n\nEvaluate the Jninja2 templates manually or  tool-based before rendering with `hass-cli`.",
  "id": "GHSA-33qf-q99x-wpm8",
  "modified": "2026-04-16T21:28:39Z",
  "published": "2026-04-16T21:28:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/home-assistant-ecosystem/home-assistant-cli/security/advisories/GHSA-33qf-q99x-wpm8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/home-assistant-ecosystem/home-assistant-cli/pull/453"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/home-assistant-ecosystem/home-assistant-cli"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Home Assistant Command-line Interface: Handling of user-supplied Jinja2 templates"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.