CVE Catalog

CVE-2026-50088

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile - higher than 8% of all known CVEs

Summary

The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) have an overly permissive CORS policy, allowing unauthorized domains to make cross-origin requests. This vulnerability is classified as CWE-942 and has an estimated CVSS score of 8.2 (High).

Risk Assessment

An attacker can exploit this vulnerability to steal sensitive user data (e.g., session tokens) and perform unauthorized actions in the context of a logged-in user, potentially leading to data confidentiality and integrity breaches.

Recommendation

Immediately configure a strict CORS policy, limiting allowed domains to trusted origins only, and implement validation mechanisms for Origin and Referer headers.

Original NVD description (English source)

The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS