CVE-2026-27981

HIGH

HomeBox <0.24.0 - Auth Bypass

Title source: llm

Description

HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr (TCP connection address). These headers were read unconditionally. An attacker connecting directly to Homebox could forge any value in X-Real-IP, effectively getting a fresh rate limit identity per request. There is a TrustProxy option in the configuration (Options.TrustProxy, default false), but this option was never read by any middleware or rate limiter code. Additionally, chi's middleware.RealIP was applied unconditionally in main.go, overwriting r.RemoteAddr with the forged header value before it reaches any handler. This vulnerability is fixed in 0.24.0.

References (1)

[Vendor Advisory] https://github.com/sysadminsmedia/homebox/security/advisories/GHSA-j86g-v96v-jpp3

Scores

CVSS v3 7.4

EPSS 0.0005

EPSS Percentile 16.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-307

Status published

Products (1)

sysadminsmedia/homebox < 0.24.0

Published Mar 03, 2026

Tracked Since Mar 04, 2026