From 9616596146395191bfcec01cc310b0cef58d1c1d Mon Sep 17 00:00:00 2001
From: "J. Nick Koston" <nick@home-assistant.io>
Date: Sun, 8 Feb 2026 06:40:30 -0600
Subject: [PATCH] [ota] Use secrets module for OTA authentication cnonce

Replace random.random() with secrets.token_hex() for generating
the client nonce in OTA challenge-response authentication.

The random module uses Mersenne Twister which is not
cryptographically secure. The secrets module is the correct
choice for security-sensitive token generation.
---
 esphome/espota2.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/esphome/espota2.py b/esphome/espota2.py
index 2d90251b38..bdfa7cb242 100644
--- a/esphome/espota2.py
+++ b/esphome/espota2.py
@@ -6,7 +6,7 @@ import hashlib
 import io
 import logging
 from pathlib import Path
-import random
+import secrets
 import socket
 import sys
 import time
@@ -301,7 +301,7 @@ def perform_ota(
         _LOGGER.debug("Auth: %s Nonce is %s", hash_name, nonce)
 
         # Generate cnonce
-        cnonce = hash_func(str(random.random()).encode()).hexdigest()
+        cnonce = secrets.token_hex(32)
         _LOGGER.debug("Auth: %s CNonce is %s", hash_name, cnonce)
 
         send_check(sock, cnonce, "auth cnonce")