Skip to main content

Aqara Cloud Developer Portal CVE-2026-50082

| EUVDEUVD-2026-36472 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-06-12 runZero GHSA-9rpw-8vg4-q84p
5.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (runZero) PRIMARY
MEDIUM
qualitative
NVD
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
6.5 MEDIUM

Publicly reachable cloud endpoint, no authentication required (PR:N, AV:N, AC:L); token acquisition yields only partial confidentiality/integrity impact, no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (runZero).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Jul 10, 2026 - 02:52 NVD
6.5 (MEDIUM) 5.3 (MEDIUM)
Patch available
Jun 12, 2026 - 17:01 EUVD
Analysis Generated
Jun 12, 2026 - 16:34 vuln.today

DescriptionNVD

The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5 Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, any otherwise-unauthenticated attacker could execute a full takeover of affected devices.

AnalysisAI

Unauthenticated developer token issuance in the Aqara Cloud Developer Portal (developer.aqara.com) allows any remote attacker to obtain a valid API token by supplying an arbitrary email address, with no ownership verification performed. This is the entry point of a documented four-CVE attack chain (CVE-2026-50082 through CVE-2026-50085) that, when exploited in sequence, enables full takeover of Aqara smart home devices belonging to the victim account. A public proof-of-concept exists on GitHub; no public exploit identified at time of analysis for active exploitation, but the zero-prerequisite nature of this flaw makes it trivially automatable.

Technical ContextAI

The Aqara Cloud Developer Portal is a web-based SaaS platform at developer.aqara.com used by IoT application developers to register applications and obtain API credentials for controlling Aqara smart home devices. CWE-306 (Missing Authentication for Critical Function) identifies the root cause: the token issuance endpoint performs no verification that the supplied email address corresponds to a legitimate account owner - it simply mints and returns a developer API token for any email provided. The affected product is identified by CPE cpe:2.3:a:aqara:cloud_developer_portal:*:*:*:*:*:*:*:*, covering all versions of the cloud-hosted portal. Because this is a server-side cloud service, no client-side software version is relevant; every Aqara developer portal user is exposed until Aqara remediates the endpoint server-side.

RemediationAI

No vendor-released patch version has been independently confirmed at time of analysis; the fix must be applied server-side by Aqara to the developer.aqara.com token issuance endpoint, specifically by enforcing email ownership verification (e.g., a confirmed OTP or validated registration flow) before any developer token is minted. Developers and enterprise users should immediately audit all issued developer tokens via the portal dashboard and revoke any tokens whose origin cannot be verified, then rotate legitimate tokens as a precaution. Users should monitor the runZero advisory at https://www.runzero.com/advisories/aqara-dev-portal-auth-token-2026-50082 for remediation status updates from Aqara. As a compensating control, if the Aqara portal supports IP-based allowlisting for API token usage, restrict tokens to known egress IPs - note that this limits developer workflow flexibility. Additionally, review and restrict the permissions scope of existing developer tokens to the minimum required, limiting the blast radius if a token obtained via this flaw is used in subsequent chain exploitation.

Share

CVE-2026-50082 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy