CVE-2026-50088

Vulnerability

[1][2] The Aqara Developer Portal at developer.aqara.com and the shared test environments developer-test.aqara.com and aiot-test.aqara.com have permissive Cross-Origin Resource Sharing (CORS) policies, corresponding to CWE-942. Specifically, the endpoint developer.aqara.com/open-server/* reflects Origin: null and Origin: https://*.github.io into the Access-Control-Allow-Origin header. Additionally, the test environments return Access-Control-Allow-Origin: * on GET/POST responses.

Exploitation

[2] An attacker can exploit this by embedding a sandboxed iframe (`) on any web page, which naturally sends null-origin requests. Alternatively, a GitHub Pages site can be used to send requests from a *.github.io` origin. The CORS policy will reflect these origins, allowing cross-origin read access to responses. No authentication is required, and the attack requires only user interaction (visiting the malicious page). Combined with CVE-2026-50082, the attacker can register a developer account in the victim's name and enumerate accounts via the victim's IP.

Impact

[1][2] Successful exploitation allows an attacker to perform cross-origin reads on the developer portal and test environments, potentially leaking sensitive information such as user existence (account enumeration) and manipulating developer accounts. The test environments share the production user database, amplifying the impact. The CVSS v3.1 score is 8.2 (High) with Confidentiality High, Integrity Low, and Scope Changed.

Mitigation

[2] The vendor stated on 2026-04-20 that this issue has been fixed. No specific fixed version number is provided in the public disclosures. Users should ensure they are using the latest version of the Aqara Developer Portal. No workaround is available besides upgrading. The CVE is not listed on the CISA KEV as of this writing.