title: Direct Access to ha-mcp Bare-Root Administrative Routes id: 1a6c1880-377c-48df-8ed0-1d67e128749a status: experimental description: Detects non-Supervisor access to ha-mcp add-on administrative routes exposed at the HTTP root. author: Kuniyoshi Noguchi date: 2026-06-14 references: - GHSA-q855-8rh5-jfgq logsource: category: webserver detection: selection_path: url.path|startswith: - '/api/settings/' - '/api/policy/' filter_supervisor: source.ip: '172.30.32.2' condition: selection_path and not filter_supervisor falsepositives: - Researcher-owned test environments - Custom supported ingress deployments using a different validated transport peer level: medium tags: - attack.initial-access - attack.t1190