Skip to main content

Aqara Cloud API EUVDEUVD-2026-36474

| CVE-2026-50084 MEDIUM
Missing Authorization (CWE-862)
2026-06-12 runZero GHSA-4mvx-j4wr-wqrc
Medium
Disputed · 6.5 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (runZero) PRIMARY
CRITICAL
qualitative
NVD
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
9.6 CRITICAL

Internet-facing API (AV:N), no special conditions (AC:L), only a self-registered developer token needed (PR:L), no user interaction, cross-tenant scope change with full read/write on victim accounts but no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

6
Severity Changed
Jul 09, 2026 - 17:52 NVD
CRITICAL MEDIUM
CVSS changed
Jul 09, 2026 - 17:52 NVD
9.6 (CRITICAL) 6.5 (MEDIUM)
Severity Changed
Jul 09, 2026 - 17:52 NVD
CRITICAL MEDIUM
CVSS changed
Jul 09, 2026 - 17:52 NVD
9.6 (CRITICAL) 6.5 (MEDIUM)
Patch available
Jun 12, 2026 - 17:01 EUVD
Analysis Generated
Jun 12, 2026 - 16:21 vuln.today

DescriptionNVD

The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.

AnalysisAI

Broken authorization in the Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) allows any valid developer token to operate against arbitrary user accounts, breaking tenant isolation across the platform. Discovered and disclosed by runZero, the issue stems from missing authorization checks (CWE-862) and, when chained with CVE-2026-50082/50083/50085, enables fully unauthenticated remote takeover of affected smart-home devices. No public exploit identified at time of analysis, though a related researcher repository is referenced in the advisory.

Technical ContextAI

The affected component is Aqara's Cloud Production API, a multi-tenant REST endpoint at open-cn.aqara.com/v3.0/open/api that backs Aqara's smart-home ecosystem (hubs, sensors, cameras, locks) and is consumed by third-party developer integrations using OAuth-style developer tokens. The root cause is CWE-862 Missing Authorization: the server authenticates the bearer token but never checks that the token's owning developer/tenant is authorized to act on the target accountId/userId supplied in the request, so any low-privileged developer credential becomes a cross-tenant master key. The CPE cpe:2.3:a:aqara:cloud_production_api:*:*:*:* indicates the flaw is in the cloud service itself rather than a specific firmware build, meaning all customers of the platform were exposed simultaneously until the vendor pushed a server-side fix.

RemediationAI

Because the defect resides in Aqara's hosted API, end users cannot patch it directly; remediation depends on a server-side authorization fix deployed by Aqara, and no vendor-released patch is independently confirmed from the supplied references - consult the runZero advisory at https://www.runzero.com/advisories/aqara-api-access-cve-2026-50084 and Aqara's developer portal for the current status. As compensating controls until vendor confirmation, account holders should rotate or revoke any third-party developer integrations they previously granted (reducing the population of tokens that could abuse the flaw against their account), unlink the Aqara cloud account from any non-essential ecosystems, and where feasible operate Aqara hubs in local/LAN-only mode (Aqara hub local control), accepting the trade-off of losing remote access and voice-assistant integrations; network operators monitoring outbound traffic should alert on unexpected API calls to open-cn.aqara.com from unmanaged developer environments. Because this CVE chains with CVE-2026-50082/50083/50085 to enable device takeover, prioritize firmware updates for Aqara devices once the vendor publishes patched releases.

Share

EUVD-2026-36474 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy