CVE Catalog

CVE-2026-50085

HighCVSS 8.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile - higher than 20% of all known CVEs

Summary

The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads and forwards them to the HiveMQ broker without authentication. This is a missing authentication for critical function (CWE-306) with an estimated CVSS of 8.6 (High). Combined with other vulnerabilities, it can lead to fully unauthenticated remote takeover of affected devices.

Risk Assessment

An attacker can remotely send unauthorized MQTT commands, enabling device manipulation and potential full takeover, compromising confidentiality, integrity, and availability of the system.

Recommendation

Immediately implement authentication for all MQTT connections to the Aqara Board service and restrict access to the HiveMQ broker to authorized clients only.

Original NVD description (English source)

The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS