CVE-2026-50084— Aqara API cross-account access
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Aqara | Cloud Production API | 2026-04-20< 0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-50084
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Aqara API cross-account access
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Aqara Cloud Production API 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Aqara Cloud Production API是美国Aqara公司的API管理服务。 Aqara Cloud Production API存在授权问题漏洞,该漏洞源于缺少授权检查,可能导致任何有效的开发者令牌被授权访问任何账户,从而导致受影响设备的完全远程接管。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Aqara | Cloud Production API | 2026-04-20 ~ 0 | - |
II. Public POCs for CVE-2026-50084
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 6979 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-50084
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-50084 (1)
Proof of Concept for CVE-2026-50084 (1)
Same Patch Batch · Aqara · 2026-06-12 · 10 CVEs total
| CVE-2026-50086 | 10.0 CRITICAL | Aqara unauthenticated AES oracle |
| CVE-2026-50090 | 9.3 CRITICAL | Aqara OAuth redirect_uri validation bypass |
| CVE-2026-50083 | 9.1 CRITICAL | Aqara hardcoded OAuth client credentials |
| CVE-2026-50091 | 9.1 CRITICAL | Aqara Home Android SDK hardcoded keys |
| CVE-2026-50085 | 8.6 HIGH | Aqara Board IoT insecure debug API |
| CVE-2026-50087 | 8.2 HIGH | Aqara IAM/SSO Gateway cross-origin resource sharing |
| CVE-2026-50088 | 8.2 HIGH | Aqara Developer Portal cross-origin resource sharing |
| CVE-2026-50082 | 6.5 MEDIUM | Aqara Developer Portal insecure authentication token |
| CVE-2026-50089 | 6.1 MEDIUM | Aqara IAM/SSO Gateway open redirect |
IV. Related Vulnerabilities
Same vendor: Aqara
Same weakness: CWE-862
- CVE-2026-11719
MCP数据库工具箱旧版本认证绕过漏洞 - CVE-2026-12093
Simple Membership <= 4.7.5 - Missing Authorization to Unauth - CVE-2026-10029
Event Koi Lite <= 1.3.13.1 - Missing Authorization to Unauth - CVE-2026-9199
Equalize Digital Accessibility Checker <= 1.42.1 - Missing A - CVE-2026-12407
E2Pdf <= 1.32.26 - Missing Authorization to Authenticated (C
V. Comments for CVE-2026-50084
No comments yet