Breaking change in v7.0.0: OAuth mode now requires HOMEASSISTANT_URL environment variable

[julienld]

Breaking Change in v7.0.0 — OAuth Mode

As part of a security fix for GHSA-fmfg-9g7c-3vq7 and GHSA-pf93-j98v-25pv, the OAuth mode no longer accepts a Home Assistant URL from the user via the consent form.

What changed

Previously, users entering their Long-Lived Access Token on the consent form could also specify which Home Assistant instance to connect to. This was a Server-Side Request Forgery (SSRF) vector — it allowed an attacker to probe internal networks by supplying arbitrary URLs.

Starting in v7.0.0, the Home Assistant URL must be set server-side via the HOMEASSISTANT_URL environment variable. The consent form now only accepts the token.

Migration

Add HOMEASSISTANT_URL to your environment before starting the server:

Docker:

docker run -d -p 8086:8086 \
  -e HOMEASSISTANT_URL=https://your-ha-instance.example.com \
  -e MCP_BASE_URL=https://your-mcp-server.example.com \
  ghcr.io/homeassistant-ai/ha-mcp:latest ha-mcp-oauth

uvx:

HOMEASSISTANT_URL=https://your-ha-instance.example.com \
MCP_BASE_URL=https://your-mcp-server.example.com \
uvx --from=ha-mcp@latest ha-mcp-oauth