CVE-2026-50082
Awaiting Analysis Awaiting Analysis - Queue
Missing Authentication in Aqara Cloud Developer Portal

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: 44488dab-36db-4358-99f9-bc116477f914

Description
The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5 Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, any otherwise-unauthenticated attacker could execute a full takeover of affected devices.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-50082
EUVD
EUVD-2026-36472
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aqara developer_portal to 2026-04-30 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in the Aqara Developer Portal allows attackers to bypass authentication and obtain valid credentials, leading to unauthorized access to user-scope endpoints and potential full device takeover when combined with related vulnerabilities.

Such unauthorized access and potential compromise of user data and devices could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

However, the provided information does not explicitly detail the direct impact on compliance with these regulations.

Impact Analysis

This vulnerability allows attackers to bypass authentication and obtain valid credentials (Appid and Keyid) to access user-scope endpoints without authorization.

As a result, attackers could create unauthorized developer accounts and potentially execute a full takeover of affected devices when combined with other related vulnerabilities.

This could lead to unauthorized control over devices, data exposure, and disruption of services.

Executive Summary

CVE-2026-50082 is a vulnerability in the Aqara Developer Portal where the system issued developer tokens to any email address supplied by an attacker without proper authentication.

This means an attacker could obtain valid developer tokens without proving their identity, allowing unauthorized account creation and access.

This flaw is classified as CWE-306: Missing Authentication for Critical Function and has a CVSS score of 6.5 (Medium severity).

When combined with other related vulnerabilities (CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085), it could enable an attacker to fully compromise affected devices.

Mitigation Strategies

The vulnerability was fixed by Aqara in April 2026. Immediate mitigation steps include ensuring that your Aqara Developer Portal instance is updated to the fixed version released after April 2026.

Since the vulnerability allows unauthorized issuance of developer tokens, you should revoke any suspicious or unauthorized tokens and credentials (Appid and Keyid) that may have been issued.

Additionally, monitor for any unauthorized access attempts and consider combining this with patches for related vulnerabilities (CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085) to prevent full device takeover.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50082. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart