Cloud Production Api
Monthly
Broken authorization in the Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) allows any valid developer token to operate against arbitrary user accounts, breaking tenant isolation across the platform. Discovered and disclosed by runZero, the issue stems from missing authorization checks (CWE-862) and, when chained with CVE-2026-50082/50083/50085, enables fully unauthenticated remote takeover of affected smart-home devices. No public exploit identified at time of analysis, though a related researcher repository is referenced in the advisory.
Broken authorization in the Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) allows any valid developer token to operate against arbitrary user accounts, breaking tenant isolation across the platform. Discovered and disclosed by runZero, the issue stems from missing authorization checks (CWE-862) and, when chained with CVE-2026-50082/50083/50085, enables fully unauthenticated remote takeover of affected smart-home devices. No public exploit identified at time of analysis, though a related researcher repository is referenced in the advisory.