Skip to main content

Aqara Cloud OAuth CVE-2026-50090

| EUVDEUVD-2026-36480 MEDIUM
Improper Validation of Unsafe Equivalence in Input (CWE-1289)
2026-06-12 runZero GHSA-r6gg-58h5-pw3w
Medium
Disputed · 6.1 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (runZero) PRIMARY
CRITICAL
qualitative
NVD
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
9.3 CRITICAL

Network-reachable OAuth endpoint (AV:N), low complexity crafted URL (AC:L), no attacker auth needed (PR:N), victim click required (UI:R); scope change (S:C) because IdP flaw compromises client-app accounts, no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

6
Severity Changed
Jul 09, 2026 - 17:52 NVD
CRITICAL MEDIUM
CVSS changed
Jul 09, 2026 - 17:52 NVD
9.3 (CRITICAL) 6.1 (MEDIUM)
Severity Changed
Jul 09, 2026 - 17:52 NVD
CRITICAL MEDIUM
CVSS changed
Jul 09, 2026 - 17:52 NVD
9.3 (CRITICAL) 6.1 (MEDIUM)
Patch available
Jun 12, 2026 - 17:01 EUVD
Analysis Generated
Jun 12, 2026 - 16:24 vuln.today

DescriptionNVD

The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical).

AnalysisAI

Open redirect / OAuth redirect_uri validation bypass in the Aqara Cloud OAuth authorization endpoint (open-cn.aqara.com/oauth/authorize) allows remote attackers to coerce the IdP into redirecting authorization responses to attacker-controlled hosts due to lax domain-matching logic. With user interaction the flaw can be abused to steal OAuth authorization codes or tokens issued to legitimate Aqara client applications, enabling account takeover of Aqara smart-home accounts. No public exploit identified at time of analysis, though a referenced GitHub repository (xn0tsa/theres-no-place-like-home) and the runZero advisory describe the issue publicly.

Technical ContextAI

The vulnerable component is the OAuth 2.0 authorization endpoint hosted at open-cn.aqara.com/oauth/authorize, used by third-party integrations to obtain authorization codes for Aqara cloud accounts. The weakness is classified under CWE-1289 (Improper Validation of Unsafe Equivalence in Input), meaning the redirect_uri validation treats semantically distinct values as equivalent - typical patterns include matching only a suffix or substring of the registered domain, accepting userinfo/subdomain tricks (e.g. attacker.com.legit.com, legit.com.attacker.com, or attacker.com@legit.com), or normalizing characters such that an attacker-controlled host is treated as the registered one. Because the OAuth flow trusts the redirect_uri to deliver the authorization code, any equivalence-validation gap converts directly into a token-leak primitive against the cpe:2.3:a:aqara:cloud_oauth_authorization_endpoint:*:* component.

RemediationAI

Because the vulnerability lives in Aqara's hosted OAuth service, end users and integrators cannot patch it directly; remediation depends on Aqara enforcing strict, exact-match redirect_uri validation server-side at open-cn.aqara.com/oauth/authorize, and the runZero advisory at https://www.runzero.com/advisories/aqara-oauth-redirect-validation-bypass-cve-2026-50090 should be consulted to confirm fix status - no vendor-released patch version was identified at time of analysis. In the interim, third-party application owners should register only fully-qualified, single-path redirect URIs (never wildcards or bare domains), rotate any client secrets and revoke long-lived tokens issued to Aqara client apps that may have been exposed, and consider temporarily disabling SSO-style Aqara login on downstream services - the trade-off being loss of Aqara integration until the IdP fix is confirmed. End users should be cautioned not to click Aqara login/authorization links received via email, chat, or untrusted web pages until the upstream fix is verified.

Share

CVE-2026-50090 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy