CVE-2026-50087

Vulnerability

The Aqara IAM/SSO gateway (gw-builder.aqara.com) sets Access-Control-Allow-Origin: and Access-Control-Allow-Credentials: true on endpoints under /iam/*. No origin allowlist is enforced, making this a CWE-942: Permissive Cross-domain Policy with Untrusted Domains. Affected endpoints include /iam/ucauth/openapi/login, /iam/ucauth/sendAuthCode, /iam/ucauth/resetPassword, /iam/ucauth/toUniAuthUrl/google, /iam/oauthToken/aseEncrypt, and /iam/oauthToken/aseDecrypt [1][2].

Exploitation

An attacker hosting a malicious webpage can lure a logged-in Aqara user to visit it (user interaction required). The page issues a cross-origin POST request to any of the vulnerable /iam/* endpoints, including cookies (via withCredentials). The gateway echoes the attacker's Origin header back in Access-Control-Allow-Origin and permits credentials, so the browser allows the attacker script to read the response body [1][2].

Impact

A successful cross-origin read yields sensitive SSO response data such as account existence oracle results, authentication codes, and OAuth URLs. Combined with CVE-2026-50086 (AES oracle) and CVE-2026-50088 (developer portal CORS), this can enable account takeover or token theft. The CVSS score is 8.2 (High) [1][2].

Mitigation

The vendor stated the issue was fixed as of April 20, 2026 [2]. The fix was reportedly deployed in the live gateway. Users should ensure they are on the latest version; no workaround is available for previous configurations.