CVE-2026-23833: ESPHome vulnerable to denial-of-service via out-of-bounds check bypass in the API component
An integer overflow in the API component’s protobuf decoder allows denial-of-service attacks when API encryption is not used.
References
- esphome.io/guides/security_best_practices
- github.com/advisories/GHSA-4h3h-63v6-88qx
- github.com/esphome/esphome
- github.com/esphome/esphome/commit/69d7b6e9210390051318bd8e6410727689de08d6
- github.com/esphome/esphome/pull/13306
- github.com/esphome/esphome/security/advisories/GHSA-4h3h-63v6-88qx
- nvd.nist.gov/vuln/detail/CVE-2026-23833
Code Behaviors & Features
Detect and mitigate CVE-2026-23833 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →