CVE-2026-40602
Home Assistant Command-line Interface: Handling of user-supplied Jinja2 templates
描述
### Impact Up to 1.0.0 of `home-assitant-cli` (or `hass-cli` for short) an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions. This gave users access to Python's internals and extended the scope of templating beyond the intended usage. E. g., it was possible to render a template with `hass-cli template bad-template.j2 --local` that contained entries like ````j2 {%- set b = environ.__globals__['__builtins__'] -%} {%- set os = b['__import__']('os') -%} {%- set bio = b['__import__']('builtins') -%} ... ```` or other malicious Jinja2 expressions. This can lead to arbitrary code execution on the local machine. In a two step process an adversary could trick/convince an user to download third-party templates which contain harmful code (e. g., perform data manipulation or establish a remote shell) then to render those templates unchecked/reviewed/verified with `--local`. The issue only affect the local machine and not a remote Home Assistant instance. It also requires user interventions. ### Patches 1.0.0 uses `ImmutableSandboxedEnvironment` and restricts the usage of environment variables. ### Workarounds Evaluate the Jninja2 templates manually or tool-based before rendering with `hass-cli`.
如何修補 CVE-2026-40602
要修補 CVE-2026-40602,請將受影響套件升級到下列已修補版本。
- —升級至 1.0.0 或更新版本
CVE-2026-40602 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 1.0.0