Skip to main content

Aqara Developer Portal EUVD-2026-36478

| CVE-2026-50088 HIGH
Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942)
2026-06-12 runZero GHSA-fqrj-m2f5-x9pj
Cors Misconfiguration Information Disclosure Aqara Developer Portal Aqara Developer Test Portal
8.2
CVSS 3.1 · Vendor: runZero
Share

Severity by source

Vendor (runZero) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
vuln.today AI
8.2 HIGH

Network-reachable CORS abuse needs no attacker auth (PR:N) but requires a logged-in victim to visit a malicious page (UI:R); scope changes from attacker origin to portal, exposing sensitive data (C:H) with limited write impact (I:L).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (runZero).

CVSS VectorVendor: runZero

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 17:01 EUVD
Analysis Generated
Jun 12, 2026 - 16:23 vuln.today

DescriptionCVE.org

The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).

AnalysisAI

Cross-origin information disclosure in the Aqara Developer Portal (developer.aqara.com) and its shared test environments (developer-test.aqara.com, aiot-test.aqara.com) allows a malicious website to read authenticated responses from any victim developer who visits it, exposing portal data tied to IoT/smart-home developer accounts. The flaw is a permissive CORS policy (CWE-942) that trusts untrusted origins; runZero disclosed it and no public exploit identified at time of analysis, though the technique is well-known and trivially scriptable.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Aqara developer targets
Delivery
Host malicious page with CORS exploit JS
Exploit
Phish victim into visiting while logged in
Execution
Browser issues credentialed cross-origin fetch to portal
Persist
Permissive CORS policy returns sensitive response
Impact
Script exfiltrates developer data to attacker server
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Victim must be authenticated to one of the affected Aqara portals (developer.aqara.com, developer-test.aqara.com, or aiot-test.aqara.com) in the same browser and must visit or be redirected to an attacker-controlled web page during that session - this is the UI:R requirement in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2) is internally consistent with a CORS abuse: network-reachable, low complexity, no attacker authentication required, but the victim (UI:R) must browse to an attacker page while logged into the portal - a meaningful but very common precondition for phishing-style attacks against developer audiences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a lookalike domain, sends a phishing email to Aqara IoT developers pointing at an attacker-controlled page, and when a victim who is logged into developer.aqara.com visits the page, embedded JavaScript issues credentialed fetch() calls to the portal API; the permissive CORS response lets the script read the responses and exfiltrate developer profile data, API keys, or device project metadata to the attacker. The same primitive can be aimed at developer-test.aqara.com and aiot-test.aqara.com where pre-production credentials and test device bindings often live with weaker monitoring.
Remediation No vendor-released patch identified at time of analysis; because these are Aqara-operated SaaS endpoints, remediation is the vendor's responsibility and consists of tightening the Access-Control-Allow-Origin policy on developer.aqara.com, developer-test.aqara.com, and aiot-test.aqara.com to an explicit allowlist of trusted Aqara-owned origins, never reflecting arbitrary Origin headers while Access-Control-Allow-Credentials is true, and ensuring preflight responses do not return wildcard or null origins. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Issue security alert to all Aqara developers; advise immediate rotation of API keys and credentials; implement VPN-only or IP allowlist access to developer.aqara.com. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50087 HIGH
8.2 Jun 12

Cross-origin information disclosure in the Aqara IAM/SSO gateway (gw-builder.aqara.com) allows attacker-controlled web o
CVE-2026-54290 HIGH
7.1 Jun 16

Cross-origin credential exposure in Hono web framework versions prior to 4.12.25 allows arbitrary third-party sites to r

Share

EUVD-2026-36478 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy