Skip to main content

Aqara IAM/SSO Gateway CVE-2026-50083

| EUVDEUVD-2026-36473 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-06-12 runZero GHSA-h5g5-hrhr-3ph4
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (runZero) PRIMARY
CRITICAL
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

Network-reachable hardcoded OAuth client credential needs no auth or interaction (AV:N/AC:L/PR:N/UI:N); it breaks identity confidentiality and integrity but has no clear direct availability impact, so A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (runZero).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jul 09, 2026 - 18:01 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 09, 2026 - 18:00 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 09, 2026 - 17:52 vuln.today
cvss_changed
CVSS changed
Jul 09, 2026 - 17:52 NVD
9.1 (CRITICAL) 9.8 (CRITICAL)
Re-analysis Queued
Jul 09, 2026 - 17:52 vuln.today
cvss_changed
CVSS changed
Jul 09, 2026 - 17:52 NVD
9.1 (CRITICAL) 9.8 (CRITICAL)
Patch available
Jun 12, 2026 - 17:01 EUVD
Analysis Generated
Jun 12, 2026 - 16:20 vuln.today

DescriptionNVD

The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.

AnalysisAI

Authentication bypass in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) stems from a hardcoded OAuth client credential shipped in the identity backend, letting remote attackers impersonate a trusted OAuth client and subvert the single sign-on trust boundary. Discovered by runZero and tracked as EUVD-2026-36473, it carries a critical CVSS of 9.8 and a proof-of-concept is publicly available, though EPSS (0.03%) shows no evidence of widespread automated exploitation. On its own it compromises the SSO/authorization layer, but chained with CVE-2026-50082, CVE-2026-50084, and CVE-2026-50085 it enables a fully unauthenticated remote takeover of affected devices.

Technical ContextAI

The affected component is Aqara's centralized Identity and Access Management / Single Sign-On gateway (cpe:2.3:a:aqara:aquara_iam/sso_gateway) that brokers OAuth-based authentication for the vendor's smart-home ecosystem. The root cause is CWE-798 (Use of Hard-coded Credentials): a static OAuth client_id/client_secret pair is embedded in the gateway rather than provisioned per-deployment and kept secret. In an OAuth flow the client credential authenticates the application to the authorization server; when it is hardcoded and recoverable, any third party can present themselves as that legitimate client and request or exchange tokens, collapsing the confidentiality of the credential and the integrity of the authorization decisions the SSO layer is supposed to enforce. Because the gateway is the identity anchor for connected devices, weakness here has cascading effects across every service that trusts its tokens.

RemediationAI

Patch available per vendor advisory - Aqara has issued a fix, and because the vulnerable component is a vendor-hosted identity gateway (gw-builder.aqara.com) the correction is applied server-side; ensure any locally managed devices, hubs, or app versions that interact with the SSO gateway are updated to the latest vendor firmware/app release so they use the rotated credential and any revised OAuth flow. Consult the runZero advisory (https://www.runzero.com/advisories/aqara-hardcoded-oauth-cve-2026-50083) and NVD (https://nvd.nist.gov/vuln/detail/CVE-2026-50083) for exact remediation guidance; no specific fixed version string is provided in the input, so confirm the patched release directly with Aqara. As compensating controls pending confirmation, restrict device management and OAuth callback endpoints to trusted networks, rotate any credentials or tokens that may have been issued through the abused client, and monitor authentication logs for token requests using the known hardcoded client_id - with the trade-off that network restrictions may break legitimate remote-app access to devices. Address the companion CVEs (CVE-2026-50082/50084/50085) together, since remediating only this credential does not by itself close the full takeover chain.

Share

CVE-2026-50083 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy