What is the CVSS score of CVE-2026-50086?

CVE-2026-50086 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Aqara IAM/SSO Gateway are affected by CVE-2026-50086?

Aqara's IAM/SSO gateway contains a critical unauthenticated cryptographic oracle that could allow attackers to forge authentication tokens across the platform's smart-home ecosystem.. A patch is available.

How to fix or mitigate CVE-2026-50086?

Within 24 hours: Identify all Aqara IAM/SSO gateways (gw-builder.aqara.com) in your environment and isolate from internet-facing access; enable detailed audit logging on authentication endpoints. Within 7 days: Contact Aqara to confirm patch timeline; implement network segmentation restricting gateway access to authorized backend services only; rotate all authentication credentials and platform signing keys. Within 30 days: Deploy vendor patch immediately upon availability or evaluate alternative identity platforms; conduct forensic audit of authentication logs for token forgery or unauthorized access evidence.

Aqara IAM/SSO Gateway CVE-2026-50086

EUVD-2026-36476 CRITICAL

Use of a Broken or Risky Cryptographic Algorithm (CWE-327)

2026-06-12 runZero

GHSA-3897-2crh-vgmr

Authentication Bypass Aqara Iam Sso Gateway

10.0

CVSS 3.1 · Vendor: runZero

Severity by source

Vendor (runZero) PRIMARY

10.0 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

vuln.today AI

9.1 CRITICAL

Internet-reachable endpoint with no auth or UI gives AV:N/AC:L/PR:N/UI:N; oracle leaks key-protected data (C:H) and enables token forgery (I:H); no availability impact, no cross-component scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (runZero).

CVSS VectorVendor: runZero

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

Jun 12, 2026 - 17:01 EUVD

Analysis Generated

Jun 12, 2026 - 16:22 vuln.today

DescriptionCVE.org

The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and "CWE-327: Use of a Broken or Risky Cryptographic Algorithm," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High).

AnalysisAI

Unauthenticated cryptographic oracle in the Aqara IAM/SSO gateway (gw-builder.aqara.com) allows remote attackers to abuse bidirectional AES encrypt/decrypt operations performed with the platform's signing key, effectively turning the gateway into a generic crypto oracle. The flaw stems from missing authentication on a critical function combined with use of a risky cryptographic design, and no public exploit code or CISA KEV listing has been identified at time of analysis. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify gw-builder.aqara.com AES endpoint

Delivery

Send chosen ciphertext to decrypt oracle

Exploit

Recover plaintext token structure

Install

Send chosen plaintext to encrypt oracle

Mint forged signed token

Execute

Replay token against Aqara IAM/SSO

Impact

Impersonate user and access account

Recon

Identify gw-builder.aqara.com AES endpoint

Delivery

Send chosen ciphertext to decrypt oracle

Exploit

Recover plaintext token structure

Install

Send chosen plaintext to encrypt oracle

Mint forged signed token

Execute

Replay token against Aqara IAM/SSO

Impact

Impersonate user and access account

Vulnerability AssessmentAI

Exploitation	No special conditions - remote unauthenticated exploitation against the default, production deployment of the Aqara IAM/SSO gateway at gw-builder.aqara.com, which is Internet-reachable by design. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals conflict and must be weighed carefully: the input lists CVSS 10.0 with S:C/C:H/I:H/A:H, but the CVE description itself estimates 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) - the lower vector better matches an oracle that leaks/forges cryptographic material without directly altering availability of the service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker on the public Internet sends crafted requests to gw-builder.aqara.com, alternately submitting chosen ciphertexts and chosen plaintexts to the exposed AES endpoint to recover cleartext from intercepted tokens and to mint new ciphertexts encrypted under the platform signing key. The forged blobs are then replayed against Aqara IAM/SSO to impersonate legitimate users or devices and reach their cloud-bound smart-home accounts. …
Remediation	No vendor-released patch identified at time of analysis; because this is a server-side Aqara cloud endpoint, remediation must be performed by Aqara rather than by end users, and operators should monitor https://www.runzero.com/advisories/aqara-unauth-aes-oracle-cve-2026-50086 and Aqara's security channel for an official fix that enforces authentication on the AES endpoint and/or rotates the platform signing key. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Aqara IAM/SSO gateways (gw-builder.aqara.com) in your environment and isolate from internet-facing access; enable detailed audit logging on authentication endpoints. …

Threat intelligence, references, and detailed analysis are available after sign-in.