Pete Keen

#HomeAssistant PSA: there is a security vulnerability in HA Supervisor and OS versions lower than 2023.3.0 that allows unauthenticated access to the supervisor API over the network. Version 2023.3.0 contained some mitigations and 2023.3.1 contains a full patch. Update today if you haven't already.

Docker and Core installs are not vulnerable to this attack.

https://www.home-assistant.io/blog/2023/03/08/supervisor-security-disclosure/

Disclosure: Supervisor security vulnerability

Disclosure of a security vulnerability found impacting installations using the Home Assistant Supervisor.

Home Assistant
Mar 8, 2023 at 1:35pmWeb
Show threadPete KeenMar 8, 2023
Also keep in mind that even if you don't have HA directly exposed to the internet you could still be hit with this if someone is able to get inside your network with a CSRF or something.