CVE-2026-50090

Vulnerability

The Aqara Cloud OAuth Authorization Endpoint at open-cn.aqara.com/oauth/authorize validates the redirect_uri parameter using a suffix match instead of an exact match [1][2]. This is classified as CWE-1289: Improper Validation of Unsafe Equivalence in Input [1]. Any URL ending in aqara.com passes validation, including https://aqara.com.evil.example.com [2]. The endpoint is publicly accessible and unauthenticated. Affected versions include all configurations of the Aqara cloud platform prior to the fix deployed around 2026-04-08 [2].

Exploitation

An attacker only needs network access to the public endpoint and a valid OAuth client_id (which can be obtained from Aqara's public documentation or client applications) [1][2]. The attacker crafts a malicious link: GET https://open-cn.aqara.com/oauth/authorize?response_type=code&client_id=&redirect_uri=https://aqara.com.evil.example.com&state= [2]. When a victim user clicks this link and grants OAuth consent, the authorization code is delivered to the attacker-controlled domain (aqara.com.evil.example.com) [2]. The attacker can then exchange the authorization code for an access token, directly taking over the victim's session with the third-party integration that uses Aqara SSO [2].

Impact

Successful exploitation results in an OAuth account takeover for any third-party integration that authorizes via Aqara SSO [2]. The attacker gains the ability to perform any action the victim is authorized to perform within that integration, which could include accessing sensitive data, controlling smart home devices (locks, cameras, hubs), or modifying configurations [1][2]. The CVSS v3.1 score is 9.3 (Critical) with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N [1][2], indicating low attack complexity, no privileges required, user interaction required, changed scope, high confidentiality and high integrity impact.

Mitigation

Aqara remediated this issue by the vendor on 2026-04-08, as confirmed by the researcher and acknowledged by the vendor on 2026-04-20 [2]. The fix was deployed to the production endpoint open-cn.aqara.com. No workaround is necessary for users if the fix is applied. Users should ensure they are using the latest version of any Aqara integrations and verify that third-party applications are configured with correct redirect_uri values. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.