Skip to main content

Aqara IAM/SSO Gateway CVE-2026-50087

| EUVD-2026-36477 HIGH
Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942)
2026-06-12 runZero GHSA-x4g8-9rgj-rr4r
Cors Misconfiguration Information Disclosure Aqara Iam Sso Gateway
8.2
CVSS 3.1 · Vendor: runZero
Share

Severity by source

Vendor (runZero) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
vuln.today AI
8.2 HIGH

Browser-driven cross-origin attack needs no Aqara credentials (PR:N) but requires victim visit (UI:R); credentialed CORS bypass crosses the SSO trust boundary (S:C) exposing tokens (C:H) with limited write (I:L).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Primary rating from Vendor (runZero).

CVSS VectorVendor: runZero

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 17:01 EUVD
Analysis Generated
Jun 12, 2026 - 16:23 vuln.today

DescriptionCVE.org

The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).

AnalysisAI

Cross-origin information disclosure in the Aqara IAM/SSO gateway (gw-builder.aqara.com) allows attacker-controlled web origins to read authenticated user data by exploiting a permissive CORS policy that trusts arbitrary domains. The flaw, scored CVSS 8.2 with scope change due to credential exposure crossing the browser/identity-provider trust boundary, affects all users of Aqara's centralized smart-home identity service and can be triggered when a logged-in victim visits an attacker-hosted page. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify logged-in Aqara user
Delivery
Deliver phishing link to malicious page
Exploit
Victim browser loads attacker JavaScript
Install
Credentialed fetch to gw-builder.aqara.com
C2
CORS policy returns SSO response cross-origin
Execute
Exfiltrate tokens and account data
Impact
Pivot to Aqara device control
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to be authenticated to the Aqara IAM/SSO gateway (an active session cookie or token at gw-builder.aqara.com) AND to visit attacker-controlled web content in the same browser while that session is valid (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 8.2 with S:C and C:H is consistent with an SSO-layer CORS bug - confidentiality of cross-service identity data is high, integrity is limited (I:L, since the attacker primarily reads, not forges), and availability is unaffected. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious page and lures an Aqara user who is currently logged into the Aqara web portal to visit it (phishing email, malvertising, or a compromised forum post). The page issues a credentialed cross-origin fetch to gw-builder.aqara.com; because the gateway's CORS policy trusts the attacker's origin, the browser hands the authenticated SSO response - potentially including tokens, account identifiers, or linked-device data - back to attacker JavaScript, which exfiltrates it and uses it to pivot to smart-home device control. …
Remediation No vendor-released patch identified at time of analysis, and because the affected component is a cloud-hosted SSO endpoint operated by Aqara, end users cannot apply a fix directly - monitor https://www.runzero.com/advisories/aqara-iam-sso-cors-cve-2026-50087 and Aqara security communications for confirmation that gw-builder.aqara.com has been reconfigured to enforce a strict allowlist of first-party origins with Access-Control-Allow-Credentials handled correctly. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all internal systems and users accessing Aqara IAM services; enforce multi-factor authentication on all Aqara accounts; implement WAF rules to block suspicious cross-origin requests to gw-builder.aqara.com. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50088 HIGH
8.2 Jun 12

Cross-origin information disclosure in the Aqara Developer Portal (developer.aqara.com) and its shared test environments
CVE-2026-54290 HIGH
7.1 Jun 16

Cross-origin credential exposure in Hono web framework versions prior to 4.12.25 allows arbitrary third-party sites to r

Share

CVE-2026-50087 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy