{"id":"CVE-2021-41104","details":"ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`.","aliases":["GHSA-48mj-p7x2-5jfm","PYSEC-2021-351"],"modified":"2026-05-04T08:38:48.327928Z","published":"2021-09-28T16:15:08.413Z","withdrawn":"2026-05-04T08:38:48.327928Z","related":["GHSA-48mj-p7x2-5jfm"],"references":[{"type":"ADVISORY","url":"https://github.com/esphome/esphome/releases/tag/2021.9.2"},{"type":"FIX","url":"https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e"},{"type":"FIX","url":"https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"2021.9.2"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41104.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}