CVE Catalog

CVE-2026-50084

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Summary

The Aqara Cloud Production API allows any valid developer token to access any account, representing a case of missing authorization. When combined with other vulnerabilities, it can lead to unauthenticated remote takeover of devices.

Risk Assessment

The organization is at risk of complete control takeover of devices, which may result in data loss and privacy breaches.

Recommendation

It is recommended to immediately update the system and implement additional authorization mechanisms for the API to secure access to user accounts.

Original NVD description (English source)

The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS