CVE-2026-50082
MediumCVSS 6.5Summary
The Aqara Cloud Developer Portal (developer.aqara.com) issues a developer token to any email address supplied by the attacker. This is an instance of 'CWE-306: Missing Authentication for Critical Function', posing a risk of device takeover by unauthorized users.
Risk Assessment
The organization is at risk of full device takeover by attackers who can exploit the lack of authentication to gain access to critical functions.
Recommendation
It is recommended to implement authentication mechanisms for all critical functions and to monitor access to the developer portal.
Original NVD description (English source)
The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5 Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, any otherwise-unauthenticated attacker could execute a full takeover of affected devices.

