Executive Summary

CVE-2026-50090 is a vulnerability in the Aqara Cloud OAuth Authorization Endpoint that allows attackers to bypass domain validation for the redirect_uri parameter.

Instead of requiring an exact domain match, the endpoint validates the parameter using a suffix match, which means any URL ending with "aqara.com" is accepted.

This flaw enables malicious URLs such as https://aqara.com.evil.example.com to pass validation, potentially allowing attackers to steal OAuth authorization codes after a victim grants consent.

This vulnerability is classified as CWE-1289: Improper Validation of Unsafe Equivalence in Input.

Useful 0 Not Useful 0

Impact Analysis

An attacker exploiting this vulnerability can perform OAuth account takeovers by stealing authorization codes.

This leads to unauthorized access to third-party integrations that rely on Aqara Single Sign-On (SSO), potentially compromising user accounts and sensitive data.

The vulnerability has a critical CVSS score of 9.3, indicating a high risk of impact with network attack vector, low attack complexity, no privileges required, and user interaction needed.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring OAuth authorization requests to the Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) and inspecting the redirect_uri parameter for unsafe domain suffix matches.

Specifically, look for redirect_uri values that end with "aqara.com" but are actually subdomains of malicious domains, such as "https://aqara.com.evil.example.com".

You can use network traffic capture tools like tcpdump or Wireshark to capture HTTP requests to the endpoint and then filter or grep for suspicious redirect_uri parameters.

Example commands to detect suspicious redirect_uri parameters in captured traffic or logs:

• Using tcpdump to capture traffic on port 443 (HTTPS) and save to a file: tcpdump -i any port 443 -w capture.pcap
• Using tshark to extract HTTP requests and filter for redirect_uri parameters containing "aqara.com": tshark -r capture.pcap -Y 'http.request.uri contains "redirect_uri" and http.request.uri contains "aqara.com"' -T fields -e http.request.uri
• Using grep on server logs or captured HTTP requests: grep -i 'redirect_uri=.*aqara.com' access.log

Review any redirect_uri parameters that appear to use suffix matching rather than exact domain matching to identify potential exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating or patching the Aqara Cloud OAuth Authorization Endpoint to the vendor-fixed version released on April 8, 2026.

Until the patch is applied, avoid using or trusting OAuth redirect_uri parameters that rely on suffix domain matching for validation.

Implement stricter validation on redirect_uri parameters by enforcing exact domain matching rather than suffix matching to prevent malicious URLs from passing validation.

Monitor OAuth authorization logs for suspicious redirect_uri values and revoke any suspicious OAuth tokens or authorizations that may have been compromised.

Educate users to be cautious when granting OAuth consent requests related to Aqara services until the vulnerability is fully mitigated.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in the Aqara Cloud OAuth Authorization Endpoint allows attackers to bypass domain validation and perform OAuth account takeovers, gaining unauthorized access to third-party integrations that rely on Aqara SSO.

Such unauthorized access to user accounts and potentially sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and health information.

However, the provided information does not explicitly detail the impact on compliance with these standards or any specific regulatory consequences.

Useful 0 Not Useful 0