Skip to main content

Board Service EUVDEUVD-2026-36475

| CVE-2026-50085 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-12 runZero GHSA-xrr5-fhq2-5w4h
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (runZero) PRIMARY
HIGH
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.6 HIGH

Internet-reachable unauthenticated API (AV:N/AC:L/PR:N/UI:N); primary impact is injected device commands (I:H) with limited confidentiality/availability effect, matching SSVC 'partial'.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (runZero).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

10
Analysis Updated
Jul 09, 2026 - 17:59 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 09, 2026 - 17:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 09, 2026 - 17:52 vuln.today
cvss_changed
Severity Changed
Jul 09, 2026 - 17:52 NVD
HIGH CRITICAL
CVSS changed
Jul 09, 2026 - 17:52 NVD
8.6 (HIGH) 9.8 (CRITICAL)
Re-analysis Queued
Jul 09, 2026 - 17:52 vuln.today
cvss_changed
Severity Changed
Jul 09, 2026 - 17:52 NVD
HIGH CRITICAL
CVSS changed
Jul 09, 2026 - 17:52 NVD
8.6 (HIGH) 9.8 (CRITICAL)
Patch available
Jun 12, 2026 - 17:01 EUVD
Analysis Generated
Jun 12, 2026 - 16:22 vuln.today

DescriptionNVD

The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.

AnalysisAI

Missing authentication in the Aqara Board service (op-test.aqara.com) lets remote, unauthenticated attackers submit arbitrary MQTT command payloads that the exposed debug/test API relays to the platform's HiveMQ broker without any credential check. Publicly available proof-of-concept exploit code exists (SSVC: poc), and while EPSS is low (0.06%), runZero documents this as one link in a chain (CVE-2026-50082 through -50085) that together enables a fully unauthenticated remote takeover of affected devices. It is not listed in CISA KEV, so active exploitation in the wild is not confirmed.

Share

EUVD-2026-36475 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy