CVE Catalog

CVE-2026-50082

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Summary

The Aqara Cloud Developer Portal (developer.aqara.com) issues a developer token to any email address supplied by the attacker. This is an instance of 'CWE-306: Missing Authentication for Critical Function', posing a risk of device takeover by unauthorized users.

Risk Assessment

The organization is at risk of full device takeover by attackers who can exploit the lack of authentication to gain access to critical functions.

Recommendation

It is recommended to implement authentication mechanisms for all critical functions and to monitor access to the developer portal.

Original NVD description (English source)

The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5 Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, any otherwise-unauthenticated attacker could execute a full takeover of affected devices.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS