CVE-2026-27796

Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as internal service URLs, integration names, and service types. This issue has been patched in version 1.54.0.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/homarr-labs/homarr/commit/91fc5a5c747121475a50f2713d571ceb89e95257	Patch
https://github.com/homarr-labs/homarr/releases/tag/v1.54.0	Release Notes
https://github.com/homarr-labs/homarr/security/advisories/GHSA-m4vc-4prp-cvp7	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:homarr:homarr:*:*:*:*:*:*:*:*

History

10 Mar 2026, 16:24

Type	Values Removed	Values Added
Summary		(es) Homarr es un panel de control de código abierto. Antes de la versión 1.54.0, el endpoint tRPC integration.all en Homarr está expuesto como un publicProcedure, permitiendo a usuarios no autenticados recuperar una lista completa de integraciones configuradas. Estos metadatos incluyen información sensible como URLs de servicios internos, nombres de integración y tipos de servicio. Este problema ha sido parcheado en la versión 1.54.0.
References	~~() https://github.com/homarr-labs/homarr/commit/91fc5a5c747121475a50f2713d571ceb89e95257 -~~	() https://github.com/homarr-labs/homarr/commit/91fc5a5c747121475a50f2713d571ceb89e95257 - Patch
References	~~() https://github.com/homarr-labs/homarr/releases/tag/v1.54.0 -~~	() https://github.com/homarr-labs/homarr/releases/tag/v1.54.0 - Release Notes
References	~~() https://github.com/homarr-labs/homarr/security/advisories/GHSA-m4vc-4prp-cvp7 -~~	() https://github.com/homarr-labs/homarr/security/advisories/GHSA-m4vc-4prp-cvp7 - Exploit, Vendor Advisory
CPE		cpe:2.3:a:homarr:homarr::::::::
First Time		Homarr Homarr homarr

07 Mar 2026, 06:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-07 06:16

Updated : 2026-03-10 16:24

NVD link : CVE-2026-27796

Mitre link : CVE-2026-27796

CVE.ORG link : CVE-2026-27796

JSON object : View

Products Affected

homarr

homarr

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-862

Missing Authorization

5.3 /10