Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.4
HomeBox allows attackers to bypass IP rate limiting
CVE-2026-27981
Summary
HomeBox's authentication system had a weakness that allowed attackers to evade IP blocking. This could be exploited by hackers connecting directly to HomeBox. To fix this, update to HomeBox version 0.24.0 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| sysadminsmedia | homebox | <= 0.24.0 | – |
Original title
HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per client IP. It determines the client IP by reading,...
Original description
HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter (authRateLimiter) tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr (TCP connection address). These headers were read unconditionally. An attacker connecting directly to Homebox could forge any value in X-Real-IP, effectively getting a fresh rate limit identity per request. There is a TrustProxy option in the configuration (Options.TrustProxy, default false), but this option was never read by any middleware or rate limiter code. Additionally, chi's middleware.RealIP was applied unconditionally in main.go, overwriting r.RemoteAddr with the forged header value before it reaches any handler. This vulnerability is fixed in 0.24.0.
nvd CVSS3.1
7.4
Vulnerability type
CWE-307
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026