What is the CVSS score of CVE-2026-50089?

CVE-2026-50089 has a CVSS 3.1 base score of 6.1 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-50089?

Yes, a patch is available for CVE-2026-50089. Update the affected software to the latest version immediately.

Aqara IAM/SSO Gateway CVE-2026-50089

EUVD-2026-36479 MEDIUM

URL Redirection to Untrusted Site (Open Redirect) (CWE-601)

2026-06-12 runZero

GHSA-x2pr-g8vf-qfcp

Open Redirect Aqara Iam Sso Gateway

6.1

CVSS 3.1 · Vendor: runZero

Severity by source

Vendor (runZero) PRIMARY

6.1 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

vuln.today AI

6.1 MEDIUM

Public cloud SSO endpoint, no auth needed, scope changes to attacker domain; user must click link; no availability impact from redirect alone.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (runZero).

CVSS VectorVendor: runZero

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch available

Jun 12, 2026 - 17:01 EUVD

Analysis Generated

Jun 12, 2026 - 16:36 vuln.today

DescriptionCVE.org

The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 Medium), which can be used to set up a phishing attack.

AnalysisAI

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara-domain URLs that silently forward victims to attacker-controlled sites, enabling highly credible phishing campaigns targeting Aqara users and connected IoT ecosystem accounts. The vulnerability is particularly impactful in an SSO context because users are trained to trust authentication-domain URLs, dramatically lowering phishing detection rates. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify Aqara SSO user targets

Delivery

Craft redirect URL embedding attacker domain in gateway parameter

Exploit

Deliver via phishing email or message

Execution

Victim clicks trusted gw-builder.aqara.com link

Persist

Gateway issues redirect to attacker-controlled site

Impact

Harvest submitted Aqara credentials

Access

Identify Aqara SSO user targets

Delivery

Craft redirect URL embedding attacker domain in gateway parameter

Exploit

Deliver via phishing email or message

Execution

Victim clicks trusted gw-builder.aqara.com link

Persist

Gateway issues redirect to attacker-controlled site

Impact

Harvest submitted Aqara credentials

Vulnerability AssessmentAI

Exploitation	The victim must actively click a crafted Aqara SSO URL (UI:R); exploitation cannot be triggered passively or silently. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The raw CVSS score of 6.1 Medium with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N understates operational risk in context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker targeting an organization that uses Aqara smart devices crafts a URL to gw-builder.aqara.com with a manipulated redirect parameter pointing to an attacker-hosted page visually mimicking the Aqara login portal, then distributes it via spear-phishing email to facility managers or IT staff. The email passes domain-reputation filters because the link hostname is legitimately Aqara's SSO gateway; the victim clicks the link, the gateway silently redirects to the attacker's clone, and the victim submits their Aqara credentials. …
Remediation	No vendor-released patched version has been identified at time of analysis - the CPE wildcard and absence of a fixed-version reference indicate Aqara has not yet published a confirmed remediation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53523 MEDIUM This Month

6.8 Jun 12

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire

CVE-2026-10837 MEDIUM This Month

5.1 Jun 17

Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP

CVE-2026-10839 MEDIUM This Month

5.1 Jun 17

Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to

CVE-2026-54276 MEDIUM This Month

Jun 15

DigestAuthMiddleware in aiohttp leaks HTTP Digest authentication credentials to attacker-controlled cross-origin redirec

CVE-2026-50089 vulnerability details – vuln.today

Back