CVE-2026-50086

Vulnerability

The Aqara IAM/SSO gateway at gw-builder.aqara.com exposes two unauthenticated endpoints: POST /iam/oauthToken/aseEncrypt and POST /iam/oauthToken/aseDecrypt. These endpoints perform AES encryption and decryption using the platform's signing key in ECB mode, as confirmed by identical 16-byte plaintext blocks producing identical ciphertext blocks [1][2]. No authentication is required to access these endpoints, constituting CWE-306 and CWE-327. The vulnerability affects all versions of the gateway prior to the vendor's fix on April 20, 2026 [2].

Exploitation

An attacker with network access to the gateway can send arbitrary plaintext to the encrypt endpoint to obtain the corresponding ciphertext under the platform's key, or send arbitrary ciphertext to the decrypt endpoint to recover the plaintext. Known ciphertext samples (e.g., admin → o3icZFqAnrbLNYAvMjKpZA==) were observed and successfully round-tripped [2]. Because ECB mode is used, the attacker can also manipulate ciphertext blocks to forge valid encrypted payloads. No authentication, user interaction, or special privileges are required.

Impact

Successful exploitation allows an attacker to decrypt any captured ciphertext (such as cookies, tokens, or structured payloads) that was encrypted with the platform's signing key, and to forge new ciphertexts that will be accepted by the system. This leads to information disclosure of sensitive data and potential privilege escalation by forging authentication tokens. The vulnerability is rated CVSS 7.5 (High) due to network attack vector, low complexity, and no privileges required [2].

Mitigation

The vendor (Aqara) remediated this vulnerability on April 20, 2026, as stated in the disclosure timeline [2]. No workarounds are documented. Users should ensure their gateway instances are updated to the patched version. The vulnerability is part of a chain of ten CVEs disclosed on June 11, 2026 [1].