Compliance Impact

The vulnerability allows unauthenticated access to encryption and decryption functions using the platform's signing key, which can lead to unauthorized data manipulation or interception.

Such unauthorized access and potential data exposure could violate common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and strong authentication controls.

Specifically, the missing authentication for critical cryptographic functions and use of a broken cryptographic algorithm increase the risk of data breaches and unauthorized data access, undermining compliance with data protection requirements.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-50086 is a vulnerability in the Aqara IAM/SSO gateway that exposes an unauthenticated AES encryption and decryption oracle. This means attackers can encrypt or decrypt arbitrary data using the platform's signing key without needing to authenticate.

The vulnerability arises because the platform uses AES in ECB mode, which is a weak cryptographic method, and the encryption/decryption endpoints do not require authentication. This allows attackers to manipulate device communications or intercept data.

Specifically, two API endpoints are affected: one for encryption and one for decryption, both callable without authentication. Identical plaintext blocks produce identical ciphertext blocks, making it easier for attackers to analyze and exploit the data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized decryption of sensitive data such as cookies or tokens, and the ability to forge new ciphertext under the platform's signing key.

Attackers could manipulate communications between devices or the cloud platform, potentially compromising the security of Aqara smart locks, cameras, and hubs.

Because the vulnerability is unauthenticated and callable cross-origin from any browser (when combined with another vulnerability), it increases the risk of remote exploitation without user interaction.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for unauthenticated access to the AES encryption and decryption endpoints on the Aqara IAM/SSO Gateway.

Specifically, the endpoints `/iam/oauthToken/aseEncrypt` and `/iam/oauthToken/aseDecrypt` can be tested to see if they allow encryption or decryption requests without authentication.

A simple detection method is to send HTTP requests to these endpoints and observe if encryption or decryption occurs without requiring credentials.

• Use curl or similar tools to send POST requests to the endpoints, for example:
• curl -X POST https://gw-builder.aqara.com/iam/oauthToken/aseEncrypt -d '{"data":"test"}'
• curl -X POST https://gw-builder.aqara.com/iam/oauthToken/aseDecrypt -d '{"data":"<ciphertext>"}'

If these requests succeed without authentication and return encrypted or decrypted data, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the official patch released by Aqara, which addresses the unauthenticated AES oracle vulnerability.

If patching is not immediately possible, restrict access to the vulnerable endpoints by implementing network-level controls such as firewall rules to block external access to `/iam/oauthToken/aseEncrypt` and `/iam/oauthToken/aseDecrypt`.

Additionally, monitor and audit access logs for any suspicious or unauthorized requests to these endpoints.

Ensure that any cryptographic operations require proper authentication and avoid using ECB mode encryption, as it is insecure.

Useful 0 Not Useful 0