VYPR
← All advisories
Critical severity9.6NVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-50084

CVE-2026-50084

Description

Aqara cloud API accepts any valid developer token for any user account, enabling cross-account data access and device control.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Aqara cloud API accepts any valid developer token for any user account, enabling cross-account data access and device control.

Vulnerability

The Aqara Cloud Production API at open-cn.aqara.com/v3.0/open/api suffers from CWE-862 Missing Authorization [1][2]. The API authenticates requests using an MD5 signature composed of Appid, Keyid, Nonce, timestamp, and a SHA-256 hash of the request body. While the signing scheme itself is sound, the authorization check is absent: any valid developer Appid (which can be obtained freely via CVE-2026-50082 [1]) is accepted for invoking user-scoped endpoints against *any* Aqara user account. No per-resource ownership verification is performed. This issue affects all versions of the API prior to the fix deployed around April 2026 [2].

Exploitation

An attacker first registers a developer account on the Aqara portal (CVE-2026-50082) to obtain a valid Appid and AppKey. Using these credentials, the attacker can compute the required MD5 signature for any API call. The attacker then crafts requests targeting specific user accounts by supplying the victim's user ID in the endpoint path. Because the API does not verify that the calling developer owns the targeted account, the request is accepted. No user interaction or elevated network position is needed beyond internet access to open-cn.aqara.com [1][2].

Impact

Successful exploitation grants the attacker read and write access to the targeted Aqara user's cloud data, including device configurations, event logs, and account settings. Combined with other vulnerabilities in the chain (CVE-2026-50085 for device debug access), this can lead to full remote takeover of connected smart locks, cameras, and hubs [1]. The CVSS v3.1 score is 9.6 (Critical) with a scope change and high confidentiality/availability impact [2].

Mitigation

Aqara remediated this issue by April 20, 2026, according to the vendor acknowledgment timeline [2]. Users should ensure their Aqara cloud infrastructure and mobile apps (e.g., version 6.0.0 or later) are updated to the latest versions. No workaround is available for unpatched systems. For full details on the fix, refer to the researcher's disclosure [1].

References
  1. GitHub - xn0tsa/theres-no-place-like-home: Ten CVEs against the Aqara/Lumi IoT cloud platform — public disclosure 2026-06-11
  2. Aqara API cross-account access

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.