Aquara Iam Sso Gateway
Monthly
Authentication bypass in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) stems from a hardcoded OAuth client credential shipped in the identity backend, letting remote attackers impersonate a trusted OAuth client and subvert the single sign-on trust boundary. Discovered by runZero and tracked as EUVD-2026-36473, it carries a critical CVSS of 9.8 and a proof-of-concept is publicly available, though EPSS (0.03%) shows no evidence of widespread automated exploitation. On its own it compromises the SSO/authorization layer, but chained with CVE-2026-50082, CVE-2026-50084, and CVE-2026-50085 it enables a fully unauthenticated remote takeover of affected devices.
Authentication bypass in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) stems from a hardcoded OAuth client credential shipped in the identity backend, letting remote attackers impersonate a trusted OAuth client and subvert the single sign-on trust boundary. Discovered by runZero and tracked as EUVD-2026-36473, it carries a critical CVSS of 9.8 and a proof-of-concept is publicly available, though EPSS (0.03%) shows no evidence of widespread automated exploitation. On its own it compromises the SSO/authorization layer, but chained with CVE-2026-50082, CVE-2026-50084, and CVE-2026-50085 it enables a fully unauthenticated remote takeover of affected devices.