CVE-2026-50088
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk8th percentile - higher than 8% of all known CVEs
Summary
The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) have an overly permissive CORS policy, allowing unauthorized domains to make cross-origin requests. This vulnerability is classified as CWE-942 and has an estimated CVSS score of 8.2 (High).
Risk Assessment
An attacker can exploit this vulnerability to steal sensitive user data (e.g., session tokens) and perform unauthorized actions in the context of a logged-in user, potentially leading to data confidentiality and integrity breaches.
Recommendation
Immediately configure a strict CORS policy, limiting allowed domains to trusted origins only, and implement validation mechanisms for Origin and Referer headers.
Original NVD description (English source)
The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).

