Anyone with web_server enabled and HTTP basic auth configured on 2021.9.1 or older
web_server
allows OTA update without checking user defined basic auth username & password
Patch released in 2021.9.2
Disable/remove web_server
github.com/esphome/esphome
github.com/esphome/esphome/commit/be965a60eba6bb769e2a5afdbc8eed132f077a59
github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e
github.com/esphome/esphome/releases/tag/2021.9.2
github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm
nvd.nist.gov/vuln/detail/CVE-2021-41104