CVE-2026-50082

Vulnerability

The Aqara Cloud Developer Portal at developer.aqara.com exposes the endpoint POST /open-server/authcode/get which accepts any email address and sends a verification code to that address, allowing an attacker to complete a developer-account signup without any authentication or approval workflow [1][2]. This is an instance of CWE-306: Missing Authentication for Critical Function. The vulnerability affects all versions of the developer portal prior to the fix applied in April 2026 [2].

Exploitation

An unauthenticated attacker with network access to the developer portal can send a POST request to /open-server/authcode/get with a JSON body containing an arbitrary email address and "type":1. The server responds with a success message and sends a verification code to the supplied email. The attacker can then use that code to complete registration and obtain a valid developer account, including an Appid and Keyid [1][2]. This step serves as the entry point for a four-step chain that leverages additional vulnerabilities (CVE-2026-50083, CVE-2026-50084, CVE-2026-50085) to achieve full device takeover [1][2].

Impact

By exploiting this vulnerability, an attacker gains a legitimate developer account with credentials that the production API at open-cn.aqara.com accepts as authorization to call user-scope endpoints [2]. While the direct impact is limited to disclosure of developer tokens and the ability to create accounts (CVSS 6.5, Medium), the real value is as the first step in a chain that can lead to complete compromise of affected Aqara smart locks, cameras, and hubs [1][2].

Mitigation

The vendor marked this issue as fixed in an acknowledgment table dated April 20, 2026 [2]. No workaround is available; users should ensure their developer portal access is updated to the patched version. Independent re-testing is pending [2].