Severity by source
Sources disagree (Medium–Critical)AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Internet-facing API (AV:N), no special conditions (AC:L), only a self-registered developer token needed (PR:L), no user interaction, cross-tenant scope change with full read/write on victim accounts but no availability impact.
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
6DescriptionNVD
The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
AnalysisAI
Broken authorization in the Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) allows any valid developer token to operate against arbitrary user accounts, breaking tenant isolation across the platform. Discovered and disclosed by runZero, the issue stems from missing authorization checks (CWE-862) and, when chained with CVE-2026-50082/50083/50085, enables fully unauthenticated remote takeover of affected smart-home devices. No public exploit identified at time of analysis, though a related researcher repository is referenced in the advisory.
Technical ContextAI
The affected component is Aqara's Cloud Production API, a multi-tenant REST endpoint at open-cn.aqara.com/v3.0/open/api that backs Aqara's smart-home ecosystem (hubs, sensors, cameras, locks) and is consumed by third-party developer integrations using OAuth-style developer tokens. The root cause is CWE-862 Missing Authorization: the server authenticates the bearer token but never checks that the token's owning developer/tenant is authorized to act on the target accountId/userId supplied in the request, so any low-privileged developer credential becomes a cross-tenant master key. The CPE cpe:2.3:a:aqara:cloud_production_api:*:*:*:* indicates the flaw is in the cloud service itself rather than a specific firmware build, meaning all customers of the platform were exposed simultaneously until the vendor pushed a server-side fix.
RemediationAI
Because the defect resides in Aqara's hosted API, end users cannot patch it directly; remediation depends on a server-side authorization fix deployed by Aqara, and no vendor-released patch is independently confirmed from the supplied references - consult the runZero advisory at https://www.runzero.com/advisories/aqara-api-access-cve-2026-50084 and Aqara's developer portal for the current status. As compensating controls until vendor confirmation, account holders should rotate or revoke any third-party developer integrations they previously granted (reducing the population of tokens that could abuse the flaw against their account), unlink the Aqara cloud account from any non-essential ecosystems, and where feasible operate Aqara hubs in local/LAN-only mode (Aqara hub local control), accepting the trade-off of losing remote access and voice-assistant integrations; network operators monitoring outbound traffic should alert on unexpected API calls to open-cn.aqara.com from unmanaged developer environments. Because this CVE chains with CVE-2026-50082/50083/50085 to enable device takeover, prioritize firmware updates for Aqara devices once the vendor publishes patched releases.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36474
GHSA-4mvx-j4wr-wqrc