Security researchers have discovered nine vulnerabilities in a range of internet-connected light bulbs made by Osram.
The flaws in the Lightify products could give attackers access to a home wi-fi network, and potentially operate the lights without permission.
Osram said a "majority" of the problems would be fixed in a software update in August, but four remained unpatched.
One security expert said Osram had made an "elementary" mistake.
Osram's Lightify range features internet-connected light bulbs that can be controlled using a smartphone app.
Researcher Deral Heiland from Rapid7 discovered nine vulnerabilities in the Home and Pro range and reported them to the manufacturer.
One problem was that the Osram smartphone app stored an unencrypted copy of the user's wi-fi password.
That could give an attacker access to a user's home wi-fi network and the devices connected to it, if the password was extracted from the app.
