Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable hardcoded OAuth client credential needs no auth or interaction (AV:N/AC:L/PR:N/UI:N); it breaks identity confidentiality and integrity but has no clear direct availability impact, so A:N.
Primary rating from Vendor (runZero).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionNVD
The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
AnalysisAI
Authentication bypass in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) stems from a hardcoded OAuth client credential shipped in the identity backend, letting remote attackers impersonate a trusted OAuth client and subvert the single sign-on trust boundary. Discovered by runZero and tracked as EUVD-2026-36473, it carries a critical CVSS of 9.8 and a proof-of-concept is publicly available, though EPSS (0.03%) shows no evidence of widespread automated exploitation. On its own it compromises the SSO/authorization layer, but chained with CVE-2026-50082, CVE-2026-50084, and CVE-2026-50085 it enables a fully unauthenticated remote takeover of affected devices.
Technical ContextAI
The affected component is Aqara's centralized Identity and Access Management / Single Sign-On gateway (cpe:2.3:a:aqara:aquara_iam/sso_gateway) that brokers OAuth-based authentication for the vendor's smart-home ecosystem. The root cause is CWE-798 (Use of Hard-coded Credentials): a static OAuth client_id/client_secret pair is embedded in the gateway rather than provisioned per-deployment and kept secret. In an OAuth flow the client credential authenticates the application to the authorization server; when it is hardcoded and recoverable, any third party can present themselves as that legitimate client and request or exchange tokens, collapsing the confidentiality of the credential and the integrity of the authorization decisions the SSO layer is supposed to enforce. Because the gateway is the identity anchor for connected devices, weakness here has cascading effects across every service that trusts its tokens.
RemediationAI
Patch available per vendor advisory - Aqara has issued a fix, and because the vulnerable component is a vendor-hosted identity gateway (gw-builder.aqara.com) the correction is applied server-side; ensure any locally managed devices, hubs, or app versions that interact with the SSO gateway are updated to the latest vendor firmware/app release so they use the rotated credential and any revised OAuth flow. Consult the runZero advisory (https://www.runzero.com/advisories/aqara-hardcoded-oauth-cve-2026-50083) and NVD (https://nvd.nist.gov/vuln/detail/CVE-2026-50083) for exact remediation guidance; no specific fixed version string is provided in the input, so confirm the patched release directly with Aqara. As compensating controls pending confirmation, restrict device management and OAuth callback endpoints to trusted networks, rotate any credentials or tokens that may have been issued through the abused client, and monitor authentication logs for token requests using the known hardcoded client_id - with the trade-off that network restrictions may break legitimate remote-app access to devices. Address the companion CVEs (CVE-2026-50082/50084/50085) together, since remediating only this credential does not by itself close the full takeover chain.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36473
GHSA-h5g5-hrhr-3ph4