CVE-2026-50089

Vulnerability

The Aqara IAM/SSO Gateway at gw-builder.aqara.com contains an open redirect vulnerability (CWE-601) in the endpoint /iam/ucauth/skipToUcAuthUrl. When a user authenticates, the callBackUrl parameter is passed without validation, resulting in an HTTP 302 redirect to an attacker-controlled URL, which may also include SSO parameters from the session [1][2]. This affects the builder instance at gw-builder.aqara.com and was fixed by the vendor as of April 2026 [2].

Exploitation

An attacker needs no authentication or prior access. They can craft a URL such as https://gw-builder.aqara.com/iam/ucauth/skipToUcAuthUrl?callBackUrl=https://evil.example.com and deliver it to a target user, typically via phishing email or social media. When the user clicks the link and authenticates (e.g., through a legitimate Aqara SSO flow), the browser is redirected to the attacker-controlled domain, optionally carrying an SSO ticket or authorization code in the redirect URL [2].

Impact

Successful exploitation allows an attacker to perform phishing attacks that appear to originate from the legitimate Aqara domain, increasing the likelihood of credential harvesting. Additionally, because the redirect carries SSO parameters, an attacker could capture an SSO ticket or auth code, potentially enabling session hijacking or account takeover on downstream services [1][2].

Mitigation

Aqara remediated this vulnerability by April 8, 2026, after coordinated disclosure [2]. Users of the Aqara IAM/SSO Gateway should ensure they are running the updated version deployed to gw-builder.aqara.com after that date. No workaround is available for the vulnerable endpoint; the fix adds an allowlist for the callBackUrl parameter [2]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.