CVE-2026-50087
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
The Aqara IAM/SSO gateway (gw-builder.aqara.com) has a cross-origin request sharing vulnerability due to a permissive cross-domain policy with untrusted domains (CWE-942), with an estimated CVSS score of 8.2 (High).
Risk Assessment
An attacker can exploit this vulnerability to steal authentication credentials or hijack user sessions, leading to data confidentiality and integrity breaches within the organization.
Recommendation
Immediately configure a strict CORS policy on the Aqara IAM/SSO gateway, limiting allowed domains to trusted ones and requiring appropriate security headers.
Original NVD description (English source)
The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).

