Aqara Home Android App Uses Hard-Coded Cryptographic Keys (CVE-2026-50091)

critical-cve-against-dependency · active

The Aqara Home Android app (com.lumiunited.aqarahome) version 6.0.0, and white-label clients that embed the same liblumidevsdk.so library, ship hard-coded cryptographic keys. This flaw (CVE-2026-50091, CWE-321) could let attackers compromise the confidentiality and integrity of protected data, and is rated critical (CVSS 9.1).

Affected packages

Indicators of compromise

• file-pathliblumidevsdk.soNative SDK library embedding the hard-coded cryptographic keys; shared by white-label clients.

Sources

• ghsahttps://github.com/advisories/GHSA-27qj-3j3m-fj5v
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-50091
• google-searchhttps://github.com/xn0tsa/theres-no-place-like-home
• google-searchhttps://www.runzero.com/advisories/aqara-hardcoded-sdk-keys-cve-2026-50091