Aqara Cloud Production API Missing Authorization Allows Cross-Account Access (CVE-2026-50084)

critical-cve-against-infra · active

The Aqara Cloud Production API would authorize any valid developer token to access any account, a missing-authorization flaw (CVE-2026-50084, CVSS 9.6). When chained with related vulnerabilities, it can enable fully unauthenticated, remote takeover of affected Aqara smart-home devices.

Affected packages

Indicators of compromise

• domainopen-cn.aqara.comAqara Cloud Production API host affected by the missing-authorization flaw (endpoint /v3.0/open/api).

Sources

• ghsahttps://github.com/advisories/GHSA-4mvx-j4wr-wqrc
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-50084
• google-searchhttps://github.com/xn0tsa/theres-no-place-like-home
• google-searchhttps://www.runzero.com/advisories/aqara-api-access-cve-2026-50084