CVE-2026-50091

Vulnerability

Aqara Home Android (com.lumiunited.aqarahome) version 6.0.0 and white-label clients embedding the same liblumidevsdk.so contain two static cryptographic keys hard-coded into the native library [1][2]. These keys are recoverable via strings from any installation and are identical across all builds. They control camera authentication signatures, device pairing payloads, and content encryption between the client and the Aqara cloud platform. This is an instance of CWE-321: Use of Hard-coded Cryptographic Key [2].

Exploitation

An attacker can extract the hard-coded keys from any copy of the application without authentication [1]. With these keys, the attacker can forge camera authentication signatures, impersonate device pairing flows, and decrypt encrypted content captured from a privileged man-in-the-middle (MITM) network position [2]. No user interaction or prior access is required; the attacker only needs network connectivity to the target device or the Aqara cloud endpoints.

Impact

Successful exploitation leads to high confidentiality and integrity impact (CVSS 9.1) [2]. The attacker can decrypt encrypted communications, forge device identities, and inject malicious commands into device pairing or camera authentication processes. Availability is not affected (A:N). The compromise can affect any device or account interacting with the compromised SDK.

Mitigation

As of the public disclosure date (2026-06-12), no fix has been released for this issue [1][2]. The hard-coded keys are embedded in the native library and cannot be rotated without a coordinated firmware and app update across the entire Aqara ecosystem. The vendor was notified on 2026-03-13 and acknowledged the issue, but some findings remained unfixed as of 2026-04-20 [2]. Users should monitor official Aqara channels for a future update that replaces the static keys with a dynamic key exchange mechanism.