CVE-2026-50084
Awaiting Analysis Awaiting Analysis - Queue
Aqara Cloud API Missing Authorization Vulnerability

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: 44488dab-36db-4358-99f9-bc116477f914

Description
The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-50084
EUVD
EUVD-2026-36474
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aqara cloud_production_api to 2026-04-08 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized access to any user account via the Aqara Cloud Production API due to missing authorization checks. This can lead to unauthorized disclosure and modification of sensitive user data.

Such unauthorized access and potential data breaches could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

However, the provided information does not explicitly discuss the direct impact on compliance with these standards.

Executive Summary

CVE-2026-50084 is a critical vulnerability in the Aqara Cloud Production API that allows unauthorized cross-account access. Specifically, the API authorizes any valid developer token to access any user account without verifying account ownership, which is a case of missing authorization (CWE-862). Although the API uses an MD5 signature for request authentication, it fails to check if the developer token belongs to the targeted account, enabling unauthorized access.

This flaw has a CVSS score of 9.6 (Critical) and, when combined with other related vulnerabilities (CVE-2026-50082, CVE-2026-50083, and CVE-2026-50085), it can lead to a fully unauthenticated, remote takeover of affected devices.

Impact Analysis

This vulnerability can have severe impacts, including unauthorized access to any user account via the Aqara Cloud Production API using a valid developer token. Attackers can potentially control user-specific endpoints and, when combined with other vulnerabilities, achieve a fully unauthenticated remote takeover of affected devices.

Such unauthorized access can lead to compromise of sensitive user data, loss of device control, and potential disruption of services relying on these devices.

Detection Guidance

This vulnerability involves unauthorized cross-account access via the Aqara Cloud Production API at open-cn.aqara.com/v3.0/open/api, where any valid developer token can access any user account without proper authorization.

Detection can focus on monitoring API requests that use developer tokens to access user-specific endpoints without proper account ownership verification.

Specifically, you can inspect network traffic for API calls to open-cn.aqara.com/v3.0/open/api that include developer tokens and check if these tokens are being used to access multiple or unexpected user accounts.

Since the API uses an MD5 signature derived from request parameters, verifying the presence of such signatures in requests can help identify relevant traffic.

Suggested commands would involve capturing and analyzing HTTP requests to the API endpoint, for example using tools like curl, tcpdump, or Wireshark to filter traffic to open-cn.aqara.com and inspecting the Authorization headers or tokens.

  • Use tcpdump to capture traffic to the API endpoint: tcpdump -i <interface> host open-cn.aqara.com and port 443
  • Use curl to test API access with a developer token: curl -H "Authorization: Bearer <developer_token>" https://open-cn.aqara.com/v3.0/open/api/<user-specific-endpoint>
  • Analyze logs or captured traffic for requests where a developer token accesses multiple user accounts or endpoints that should be restricted.
Mitigation Strategies

Immediate mitigation steps include restricting the use of developer tokens to trusted parties only and monitoring API usage for suspicious cross-account access.

Since the vulnerability arises from missing authorization checks, ensure that any API access enforces strict account ownership verification before allowing access to user data.

If you control the affected environment, apply any patches or updates released by Aqara, as the issue was remediated on April 8, 2026.

Additionally, consider revoking and reissuing developer tokens to prevent misuse of existing tokens.

Finally, monitor for any signs of exploitation, especially in combination with related vulnerabilities (CVE-2026-50082, CVE-2026-50083, and CVE-2026-50085) that could lead to remote takeover.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50084. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart