CVE-2026-40196 (GCVE-0-2026-40196)

Vulnerability from cvelistv5 – Published: 2026-04-17 21:01 – Updated: 2026-04-17 21:01
VLAI?
Title
HomeBox has Unauthorized API Access via Retained defaultGroup ID After Group Access Revocation
Summary
HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the access revocation and prevented the user from viewing or modifying the group's contents, the API did not. Because the original group ID persisted as the user's defaultGroup, and this value was not properly validated when the X-Tenant header was omitted, the user could still perform full CRUD operations on the group's collections through the API, bypassing the intended access controls. This issue has been fixed in version 0.25.0.
Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE
  • CWE-708 - Incorrect Ownership Assignment
Assigner
References
Impacted products
Vendor Product Version
sysadminsmedia homebox Affected: < 0.25.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "homebox",
          "vendor": "sysadminsmedia",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.25.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the access revocation and prevented the user from viewing or modifying the group\u0027s contents, the API did not. Because the original group ID persisted as the user\u0027s defaultGroup, and this value was not properly validated when the X-Tenant header was omitted, the user could still perform full CRUD operations on the group\u0027s collections through the API, bypassing the intended access controls. This issue has been fixed in version 0.25.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-708",
              "description": "CWE-708: Incorrect Ownership Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-17T21:01:18.530Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-6pvm-v73p-p6m9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-6pvm-v73p-p6m9"
        },
        {
          "name": "https://github.com/sysadminsmedia/homebox/releases/tag/v0.25.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sysadminsmedia/homebox/releases/tag/v0.25.0"
        }
      ],
      "source": {
        "advisory": "GHSA-6pvm-v73p-p6m9",
        "discovery": "UNKNOWN"
      },
      "title": "HomeBox has Unauthorized API Access via Retained defaultGroup ID After Group Access Revocation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40196",
    "datePublished": "2026-04-17T21:01:18.530Z",
    "dateReserved": "2026-04-09T20:59:17.620Z",
    "dateUpdated": "2026-04-17T21:01:18.530Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40196\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-17T21:16:33.863\",\"lastModified\":\"2026-04-17T21:16:33.863\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the access revocation and prevented the user from viewing or modifying the group\u0027s contents, the API did not. Because the original group ID persisted as the user\u0027s defaultGroup, and this value was not properly validated when the X-Tenant header was omitted, the user could still perform full CRUD operations on the group\u0027s collections through the API, bypassing the intended access controls. This issue has been fixed in version 0.25.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-708\"}]}],\"references\":[{\"url\":\"https://github.com/sysadminsmedia/homebox/releases/tag/v0.25.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-6pvm-v73p-p6m9\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.