Severity by source
Sources disagree (Medium–Critical)AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-reachable OAuth endpoint (AV:N), low complexity crafted URL (AC:L), no attacker auth needed (PR:N), victim click required (UI:R); scope change (S:C) because IdP flaw compromises client-app accounts, no availability impact.
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
6DescriptionNVD
The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical).
AnalysisAI
Open redirect / OAuth redirect_uri validation bypass in the Aqara Cloud OAuth authorization endpoint (open-cn.aqara.com/oauth/authorize) allows remote attackers to coerce the IdP into redirecting authorization responses to attacker-controlled hosts due to lax domain-matching logic. With user interaction the flaw can be abused to steal OAuth authorization codes or tokens issued to legitimate Aqara client applications, enabling account takeover of Aqara smart-home accounts. No public exploit identified at time of analysis, though a referenced GitHub repository (xn0tsa/theres-no-place-like-home) and the runZero advisory describe the issue publicly.
Technical ContextAI
The vulnerable component is the OAuth 2.0 authorization endpoint hosted at open-cn.aqara.com/oauth/authorize, used by third-party integrations to obtain authorization codes for Aqara cloud accounts. The weakness is classified under CWE-1289 (Improper Validation of Unsafe Equivalence in Input), meaning the redirect_uri validation treats semantically distinct values as equivalent - typical patterns include matching only a suffix or substring of the registered domain, accepting userinfo/subdomain tricks (e.g. attacker.com.legit.com, legit.com.attacker.com, or attacker.com@legit.com), or normalizing characters such that an attacker-controlled host is treated as the registered one. Because the OAuth flow trusts the redirect_uri to deliver the authorization code, any equivalence-validation gap converts directly into a token-leak primitive against the cpe:2.3:a:aqara:cloud_oauth_authorization_endpoint:*:* component.
RemediationAI
Because the vulnerability lives in Aqara's hosted OAuth service, end users and integrators cannot patch it directly; remediation depends on Aqara enforcing strict, exact-match redirect_uri validation server-side at open-cn.aqara.com/oauth/authorize, and the runZero advisory at https://www.runzero.com/advisories/aqara-oauth-redirect-validation-bypass-cve-2026-50090 should be consulted to confirm fix status - no vendor-released patch version was identified at time of analysis. In the interim, third-party application owners should register only fully-qualified, single-path redirect URIs (never wildcards or bare domains), rotate any client secrets and revoke long-lived tokens issued to Aqara client apps that may have been exposed, and consider temporarily disabling SSO-style Aqara login on downstream services - the trade-off being loss of Aqara integration until the IdP fix is confirmed. End users should be cautioned not to click Aqara login/authorization links received via email, chat, or untrusted web pages until the upstream fix is verified.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36480
GHSA-r6gg-58h5-pw3w