CVE-2026-50085
HighCVSS 8.6Exploitation Probability (EPSS)
Low risk20th percentile - higher than 20% of all known CVEs
Summary
The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads and forwards them to the HiveMQ broker without authentication. This is a missing authentication for critical function (CWE-306) with an estimated CVSS of 8.6 (High). Combined with other vulnerabilities, it can lead to fully unauthenticated remote takeover of affected devices.
Risk Assessment
An attacker can remotely send unauthorized MQTT commands, enabling device manipulation and potential full takeover, compromising confidentiality, integrity, and availability of the system.
Recommendation
Immediately implement authentication for all MQTT connections to the Aqara Board service and restrict access to the HiveMQ broker to authorized clients only.
Original NVD description (English source)
The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.

