Skip to main content

Com Lumiunited Aqarahome CVE-2026-50091

| EUVDEUVD-2026-36481 HIGH
Use of Hard-coded Cryptographic Key (CWE-321)
2026-06-12 runZero GHSA-27qj-3j3m-fj5v
7.4
CVSS 3.1 · NVD
Share

Severity by source

Vendor (runZero) PRIMARY
CRITICAL
qualitative
NVD
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.4 HIGH

Keys are extractable without auth (PR:N), but weaponizing them requires intercepting the traffic they protect, so AC:H; high confidentiality and integrity impact, no availability effect.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (runZero).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

11
Analysis Updated
Jul 09, 2026 - 18:04 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 09, 2026 - 18:01 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 09, 2026 - 17:52 vuln.today
cvss_changed
Severity Changed
Jul 09, 2026 - 17:52 NVD
CRITICAL HIGH
CVSS changed
Jul 09, 2026 - 17:52 NVD
9.1 (CRITICAL) 7.4 (HIGH)
Re-analysis Queued
Jul 09, 2026 - 17:52 vuln.today
cvss_changed
Severity Changed
Jul 09, 2026 - 17:52 NVD
CRITICAL HIGH
CVSS changed
Jul 09, 2026 - 17:52 NVD
9.1 (CRITICAL) 7.4 (HIGH)
Patch available
Jun 12, 2026 - 17:01 EUVD
Analysis Generated
Jun 12, 2026 - 16:25 vuln.today
CVE Published
Jun 12, 2026 - 15:02 cve.org
CRITICAL 9.1

DescriptionNVD

Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded Cryptographic Key" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical).

AnalysisAI

Hard-coded cryptographic keys in the Aqara Home Android app (com.lumiunited.aqarahome) 6.0.0 and white-label clients embedding the same liblumidevsdk.so let attackers who extract the static keys from the shipped binary decrypt protected data and forge or tamper with device/cloud communications. Because every install ships the identical embedded keys, a single extraction compromises confidentiality and integrity across the entire installed base. Reported by runZero (CVE-2026-50091 / EUVD-2026-36481); publicly available exploit code exists (GitHub PoC 'theres-no-place-like-home'), but it is not on CISA KEV and EPSS is very low at 0.03%.

Share

CVE-2026-50091 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy