Skip to main content

Cloud Developer Portal

1 CVEs product

Monthly

CVE-2026-50082 MEDIUM PATCH This Month

Unauthenticated developer token issuance in the Aqara Cloud Developer Portal (developer.aqara.com) allows any remote attacker to obtain a valid API token by supplying an arbitrary email address, with no ownership verification performed. This is the entry point of a documented four-CVE attack chain (CVE-2026-50082 through CVE-2026-50085) that, when exploited in sequence, enables full takeover of Aqara smart home devices belonging to the victim account. A public proof-of-concept exists on GitHub; no public exploit identified at time of analysis for active exploitation, but the zero-prerequisite nature of this flaw makes it trivially automatable.

Authentication Bypass Cloud Developer Portal
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated developer token issuance in the Aqara Cloud Developer Portal (developer.aqara.com) allows any remote attacker to obtain a valid API token by supplying an arbitrary email address, with no ownership verification performed. This is the entry point of a documented four-CVE attack chain (CVE-2026-50082 through CVE-2026-50085) that, when exploited in sequence, enables full takeover of Aqara smart home devices belonging to the victim account. A public proof-of-concept exists on GitHub; no public exploit identified at time of analysis for active exploitation, but the zero-prerequisite nature of this flaw makes it trivially automatable.

Authentication Bypass Cloud Developer Portal
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy