Skip to main content

Cloud Production Api

1 CVEs product

Monthly

CVE-2026-50084 MEDIUM PATCH This Month

Broken authorization in the Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) allows any valid developer token to operate against arbitrary user accounts, breaking tenant isolation across the platform. Discovered and disclosed by runZero, the issue stems from missing authorization checks (CWE-862) and, when chained with CVE-2026-50082/50083/50085, enables fully unauthenticated remote takeover of affected smart-home devices. No public exploit identified at time of analysis, though a related researcher repository is referenced in the advisory.

Authentication Bypass Cloud Production Api
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Broken authorization in the Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) allows any valid developer token to operate against arbitrary user accounts, breaking tenant isolation across the platform. Discovered and disclosed by runZero, the issue stems from missing authorization checks (CWE-862) and, when chained with CVE-2026-50082/50083/50085, enables fully unauthenticated remote takeover of affected smart-home devices. No public exploit identified at time of analysis, though a related researcher repository is referenced in the advisory.

Authentication Bypass Cloud Production Api
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy