CVE-2026-50089
Awaiting Analysis Awaiting Analysis - Queue
Open Redirect Vulnerability in Aqara IAM/SSO Gateway

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: 44488dab-36db-4358-99f9-bc116477f914

Description
The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 Medium), which can be used to set up a phishing attack.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-50089
EUVD
EUVD-2026-36479
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aqara iam_sso_gateway to 2026-04-08 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50089 is an open redirect vulnerability in the Aqara IAM/SSO Gateway (gw-builder.aqara.com). It occurs because the application does not properly validate the `callBackUrl` parameter in a specific GET request, allowing attackers to redirect users to malicious websites after authentication.

This vulnerability is classified as CWE-601: URL Redirection to Untrusted Site, meaning it can be exploited to redirect users to attacker-controlled domains.

The redirect can carry Single Sign-On (SSO) parameters, which might lead to leakage of SSO tickets or authentication codes to malicious sites.

Compliance Impact

The vulnerability in the Aqara IAM/SSO Gateway allows attackers to redirect users to malicious websites and potentially leak SSO tickets or authentication codes. This can lead to unauthorized access and phishing attacks, which may compromise user data confidentiality and integrity.

Such security weaknesses can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and phishing threats.

Impact Analysis

This vulnerability can be used by attackers to perform phishing attacks by redirecting authenticated users to malicious websites.

Because the redirect carries SSO parameters, attackers might also obtain sensitive authentication tokens or codes, potentially compromising user accounts.

The overall impact includes loss of confidentiality and integrity of user authentication, which can lead to unauthorized access and data exposure.

Detection Guidance

This vulnerability can be detected by monitoring HTTP GET requests to the endpoint /iam/ucauth/skipToUcAuthUrl on the Aqara IAM/SSO Gateway (gw-builder.aqara.com) that include the callBackUrl parameter.

Specifically, look for requests where the callBackUrl parameter redirects to external or untrusted domains, which indicates the open redirect vulnerability.

Network administrators can use tools like curl or wget to test the endpoint manually, for example:

  • curl -I "https://gw-builder.aqara.com/iam/ucauth/skipToUcAuthUrl?callBackUrl=http://malicious.example.com"
  • Observe if the response returns an HTTP 302 redirect to the attacker-controlled domain.

Additionally, network monitoring or intrusion detection systems can be configured to alert on HTTP 302 redirects from this endpoint to external domains.

Mitigation Strategies

The immediate mitigation step is to apply the vendor's patch or update, as Aqara remediated this issue on April 8, 2026.

Until the patch is applied, restrict access to the vulnerable endpoint or implement web application firewall (WAF) rules to block or validate requests containing the callBackUrl parameter to prevent redirection to untrusted sites.

Educate users about the risk of phishing attacks stemming from this vulnerability and advise caution when clicking on links related to the Aqara IAM/SSO Gateway.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50089. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart