Cloud Developer Portal
Monthly
Unauthenticated developer token issuance in the Aqara Cloud Developer Portal (developer.aqara.com) allows any remote attacker to obtain a valid API token by supplying an arbitrary email address, with no ownership verification performed. This is the entry point of a documented four-CVE attack chain (CVE-2026-50082 through CVE-2026-50085) that, when exploited in sequence, enables full takeover of Aqara smart home devices belonging to the victim account. A public proof-of-concept exists on GitHub; no public exploit identified at time of analysis for active exploitation, but the zero-prerequisite nature of this flaw makes it trivially automatable.
Unauthenticated developer token issuance in the Aqara Cloud Developer Portal (developer.aqara.com) allows any remote attacker to obtain a valid API token by supplying an arbitrary email address, with no ownership verification performed. This is the entry point of a documented four-CVE attack chain (CVE-2026-50082 through CVE-2026-50085) that, when exploited in sequence, enables full takeover of Aqara smart home devices belonging to the victim account. A public proof-of-concept exists on GitHub; no public exploit identified at time of analysis for active exploitation, but the zero-prerequisite nature of this flaw makes it trivially automatable.