Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Internet-reachable unauthenticated API (AV:N/AC:L/PR:N/UI:N); primary impact is injected device commands (I:H) with limited confidentiality/availability effect, matching SSVC 'partial'.
Primary rating from Vendor (runZero).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
10DescriptionNVD
The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.
AnalysisAI
Missing authentication in the Aqara Board service (op-test.aqara.com) lets remote, unauthenticated attackers submit arbitrary MQTT command payloads that the exposed debug/test API relays to the platform's HiveMQ broker without any credential check. Publicly available proof-of-concept exploit code exists (SSVC: poc), and while EPSS is low (0.06%), runZero documents this as one link in a chain (CVE-2026-50082 through -50085) that together enables a fully unauthenticated remote takeover of affected devices. It is not listed in CISA KEV, so active exploitation in the wild is not confirmed.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36475
GHSA-xrr5-fhq2-5w4h