CVE-2026-50083

Vulnerability

The Aqara IAM/SSO Gateway (gw-builder.aqara.com) contained two hardcoded OAuth client credentials (client_id test1 with secret 123456, and client_id test123 with secret 172799) that were accepted by the /iam/oauthToken/openapi/client/token endpoint. These credentials, an instance of CWE-798, allowed issuance of tokens with scope=all and an expiry of up to 1,799,999,999 seconds (approximately 57 years) [1][2]. The affected versions include all releases prior to the vendor's fix on 2026-04-20.

Exploitation

An attacker with network access to gw-builder.aqara.com can obtain an access token by sending a simple POST request containing the hardcoded client_id and client_secret with grant_type=client_credentials. No authentication or user interaction is required [2]. The token is immediately valid. The IAM gateway does not rate-limit token issuance [2].

Impact

Successful exploitation gives the attacker a bearer token with scope=all, enabling any privileged API call against the IAM gateway. When chained with CVE-2026-50084 (application signing bypass) and CVE-2026-50082 (auth code delivery), this allows unauthenticated, remote full compromise of Aqara devices including smart locks, cameras, and hubs [1][2].

Mitigation

The vendor remediated the issue by 2026-04-20, removing the hardcoded credentials from the gateway [2]. Users should ensure their Aqara account and devices are updated. No workaround is available for unpatched instances. The vulnerability is not listed on CISA's KEV as of the publication date.