CVE-2026-50085

Vulnerability

The Aqara Board service at op-test.aqara.com exposes an unauthenticated debug API via POST /board/downstream/api/debug that accepts arbitrary MQTT command payloads and forwards them to the platform's HiveMQ broker at 172.16.201.20. Additionally, the endpoints /board/downstream/panel/config/down and an unauthenticated WebSocket at /board/ws exhibit the same behavior. The service runs as root. This is documented in the researcher's report [1] and the runZero advisory [2].

Exploitation

An attacker with network access to the Aqara Board service can send a crafted POST request with a JSON payload containing an MQTT action (e.g., {"action":"query"}) without any authentication. The request is forwarded to the HiveMQ broker, allowing command injection into the device fleet. This step is the final link in a four‑CVE chain (CVE-2026-50082–CVE-2026-50085) that enables fully unauthenticated remote device takeover [1][2].

Impact

Successful exploitation allows an attacker to send arbitrary MQTT commands to smart locks, cameras, hubs, and sensors on the Aqara platform. The CVSS v3.1 score is 8.6 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L, indicating high integrity impact (device command execution) and low confidentiality/availability impact. When combined with the other CVEs in the chain, the attacker can achieve full remote control of affected devices [1][2].

Mitigation

The vendor (Aqara) stated that this issue was fixed as of April 20, 2026, according to the disclosure timeline [1][2]. Users should ensure their Aqara Board service is updated to the patched version. No workarounds are documented. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.