CVE-2026-50088
Awaiting Analysis Awaiting Analysis - Queue
Cross-Origin Resource Sharing Flaw in Aqara Developer Portal

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: 44488dab-36db-4358-99f9-bc116477f914

Description
The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-50088
EUVD
EUVD-2026-36478
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
aqara developer_portal to 2026-04-08 (inc)
aqara developer_test to 2026-04-08 (inc)
aqara aiot_test to 2026-04-08 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50088 is a cross-origin resource sharing (CORS) vulnerability affecting Aqara's Developer Portal and its shared test environments. The issue arises because these sites improperly allow cross-origin requests, which is classified as CWE-942: Permissive Cross-domain Policy with Untrusted Domains.

Specifically, the production portal reflects null and GitHub.io origins into the Access-Control-Allow-Origin header as '*', enabling sandboxed iframes to exploit this flaw. Additionally, the test environments reflect any origin in their responses.

Since the test portals share the same user database as the production system, attackers can enumerate accounts by observing identical error codes. This vulnerability, combined with another (CVE-2026-50082), allows attackers to register developer accounts under a victim's name using their email and enumerate existing accounts through the victim's IP address.

Compliance Impact

The vulnerability in Aqara's Developer Portal and test environments involves permissive cross-origin resource sharing (CORS) policies that allow unauthorized cross-origin requests. This can lead to account enumeration and potential unauthorized access to user data.

Such unauthorized access and data exposure risks can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized disclosure.

Specifically, the ability to enumerate accounts and potentially impersonate users could lead to violations of confidentiality and privacy requirements mandated by these standards.

Impact Analysis

This vulnerability can have significant security impacts. Attackers can exploit the permissive CORS policy to perform unauthorized cross-origin requests, potentially accessing sensitive user data.

Because the test environments share the same user database as production, attackers can enumerate user accounts by analyzing error responses, which can lead to privacy breaches.

Furthermore, combined with another vulnerability, attackers could register developer accounts under a victim's name using their email address and enumerate existing accounts via the victim's IP address, potentially leading to account impersonation or unauthorized access.

Detection Guidance

This vulnerability can be detected by checking the CORS (Cross-Origin Resource Sharing) headers of the Aqara Developer Portal and its test environments to see if they improperly allow cross-origin requests from untrusted domains.

Specifically, you can inspect the Access-Control-Allow-Origin header in HTTP responses from the following domains: developer.aqara.com, developer-test.aqara.com, and aiot-test.aqara.com.

If the header reflects origins such as null, GitHub.io, or any origin (*) without proper validation, it indicates the presence of the vulnerability.

Suggested commands to detect this include using curl or browser developer tools to inspect the headers.

  • curl -I -H "Origin: https://example.github.io" https://developer.aqara.com
  • curl -I -H "Origin: null" https://developer.aqara.com
  • curl -I -H "Origin: https://malicious-site.com" https://developer-test.aqara.com
  • curl -I -H "Origin: https://any-origin.com" https://aiot-test.aqara.com

If the Access-Control-Allow-Origin header in the response matches the Origin header or is set to *, it confirms the permissive cross-origin policy vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting the Access-Control-Allow-Origin header to only trusted domains and avoiding reflecting arbitrary origins in CORS headers.

Since the vulnerability affects both production and test environments, ensure that test environments do not share the same user database as production to prevent account enumeration.

Additionally, disable or limit cross-origin requests from untrusted or unknown origins, and apply patches or updates provided by Aqara, as the vulnerability was fixed by April 8, 2026.

If you manage or use these portals, verify that the fixes have been applied and monitor for suspicious activity related to account enumeration or unauthorized cross-origin requests.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50088. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart