CVE-2026-54317: Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN

The Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant/components/konnected/__init__.py), that is marked as not requiring authentication (requires_auth = False). A comment next to that line says auth is instead handled “via the access token from configuration.”

That promise is only half true:

• Write requests (POST and PUT) are handled by update_sensor(), which does check the request’s Authorization: Bearer <token> header against the integration’s stored access tokens (using hmac.compare_digest).
• Read requests (GET) are handled by a separate get() method that has no authentication check at all.

By sending GET requests to /api/konnected/device/{device_id}?zone=N, any unauthenticated client on the LAN can:

1. Enumerate configured Konnected device IDs — the endpoint returns a clean 404-vs-200 difference that acts as an oracle for which devices exist.
2. Read switch output states — the on/off state of every switch output (siren, strobe, and relay outputs of the alarm panel).
3. Read the panel’s zone topology — how the alarm panel’s zones are configured.
4. Trigger panel connections — each unauthenticated GET forces one outbound panel.async_connect() call to the Konnected hardware on the LAN.

The same URL that correctly rejects unauthenticated POST and PUT requests silently serves unauthenticated GET requests, leaking alarm-panel state and device topology to anyone who can reach Home Assistant’s HTTP port (8123 on the LAN by default).