Executive Summary

CVE-2026-50083 is a critical vulnerability in the Aqara IAM/SSO Gateway caused by the use of hardcoded OAuth client credentials, which is an example of CWE-798 (Use of Hard-coded Credentials). Specifically, two hardcoded credentials were found that allow an attacker to issue OAuth tokens with full scope without any authentication.

These tokens remain valid even after password changes and there is no rate limiting on token issuance, making exploitation easier. This vulnerability can be combined with other related vulnerabilities (CVE-2026-50082, CVE-50084, and CVE-50085) to achieve a fully unauthenticated remote takeover of affected devices.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a severe impact as it allows attackers to remotely take over affected devices without any authentication. Because the OAuth tokens issued using the hardcoded credentials have full access scope and remain valid despite password changes, attackers can gain high-level control over the system.

Such unauthorized access can lead to compromise of sensitive data, manipulation of device functions, and disruption of services, posing significant security risks to users and organizations relying on the Aqara IAM/SSO Gateway.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the use of hardcoded OAuth client credentials in the Aqara IAM/SSO Gateway, specifically the credentials `test1` with secret `123456` and `test` with secret `123456`. Detection can focus on identifying these credentials or unusual OAuth token issuance patterns.

To detect this vulnerability on your network or system, you can monitor network traffic for OAuth token requests containing these hardcoded credentials or tokens issued with scope=all. Additionally, inspecting logs for repeated token requests without rate limiting or after password changes may indicate exploitation attempts.

Suggested commands or approaches include:

• Use network packet capture tools (e.g., tcpdump, Wireshark) to filter for OAuth token requests to the Aqara IAM/SSO Gateway endpoint (gw-builder.aqara.com).
• Search logs or captured traffic for the presence of the client IDs `test1` or `test` and their associated secrets.
• Check for OAuth tokens issued with scope=all, which may indicate use of the hardcoded credentials.
• Monitor for token issuance events that occur even after password changes or without rate limiting, which is abnormal behavior.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include removing or disabling the use of the hardcoded OAuth client credentials in the Aqara IAM/SSO Gateway.

Since the tokens issued with these credentials remain valid even after password changes and lack rate limiting, it is critical to revoke all tokens issued with these credentials and implement proper credential management.

Additional steps include:

• Update the Aqara IAM/SSO Gateway software to the version released after April 8, 2026, which contains the remediation for this vulnerability.
• Implement rate limiting on OAuth token requests to prevent abuse.
• Audit and rotate all OAuth client credentials to ensure no hardcoded or weak credentials remain.
• Monitor for suspicious activity related to OAuth token issuance and usage.

Useful 0 Not Useful 0