ha-mcp has XSS via Unescaped HTML in OAuth Consent Form

Description

Summary

The ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute JavaScript in the operator's browser. This affects only users running the beta OAuth mode (ha-mcp-oauth), which is not part of the standard setup and requires explicit configuration.

Details

Unescaped f-string rendering

consent_form.py builds HTML using Python f-strings. No call to html.escape() exists anywhere in the file. The following values are rendered unescaped:

  • client_name / client_id — in HTML element context (lines 299, 303)
  • client_id, redirect_uri, state — in HTML attribute context (lines 310–312), where a " character breaks out of value=""
  • error_message, error, error_description — in error display paths (lines 36–40, 496–497)

An attacker can register a client with a malicious client_name via the /register (DCR) endpoint, which accepts client_name without sanitization. If the server operator then visits a crafted authorization URL for that client, the payload executes in their browser.

Open Dynamic Client Registration

DCR is enabled by default with no initial access token required. This is intentional: Claude.ai and ChatGPT must self-register on first use, which is the standard MCP OAuth flow (RFC 7591). Requiring a pre-shared token would break those integrations. Registration alone grants no access — authorization requires an explicit action by the server operator.

Impact

Affected configuration: OAuth mode only (ha-mcp-oauth, requires MCP_BASE_URL). This mode is in beta and is not included in the main setup documentation. The vast majority of ha-mcp users run stdio mode, which is not affected.

Attack requirements:
1. The attacker can reach the ha-mcp OAuth endpoint (it binds to 0.0.0.0 in HTTP mode)
2. The attacker registers a malicious client via /register
3. The attacker convinces the server operator — the person who set up ha-mcp — to follow a crafted authorization URL for an unrecognized application

Step 3 is a meaningful social engineering bar: the consent form displays the (unfamiliar) application name, and the operator has no legitimate reason to authorize an OAuth client they didn't initiate through Claude.ai or ChatGPT. Normal usage involves being redirected to the consent form from one of those platforms, not from an external link.

If exploited, a JavaScript payload could exfiltrate data entered into the consent form, including the Home Assistant Long-Lived Access Token.

Fix

Upgrade to 7.0.0

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-03-12 14:23:44 UTC
Updated
2026-03-12 14:23:45 UTC
GitHub reviewed
2026-03-12 14:23:44 UTC
NVD published
2026-03-11

EPSS Score

Score Percentile
0.03% 9.29%

CVSS Scores

Base score Version Severity Vector
6.8 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Credits

  • yotampe-pluto (reporter)
  • julienld (remediation_developer)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip ha-mcp < 7.0.0 7.0.0

References

cvelogic Threat Intelligence