CVE Catalog

CVE-2026-50087

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile - higher than 9% of all known CVEs

Summary

The Aqara IAM/SSO gateway (gw-builder.aqara.com) has a cross-origin request sharing vulnerability due to a permissive cross-domain policy with untrusted domains (CWE-942), with an estimated CVSS score of 8.2 (High).

Risk Assessment

An attacker can exploit this vulnerability to steal authentication credentials or hijack user sessions, leading to data confidentiality and integrity breaches within the organization.

Recommendation

Immediately configure a strict CORS policy on the Aqara IAM/SSO gateway, limiting allowed domains to trusted ones and requiring appropriate security headers.

Original NVD description (English source)

The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS