Aqara IAM/SSO Gateway Exposes Unauthenticated AES Encryption Oracle (CVE-2026-50086)

critical-cve-against-infra · active

The Aqara IAM/SSO gateway (gw-builder.aqara.com) allows anyone, without authentication, to perform bidirectional AES encryption and decryption using the platform's signing key. This unauthenticated cryptographic oracle could let attackers forge or decrypt signed data tied to the platform.

Affected packages

Indicators of compromise

• domaingw-builder.aqara.comAqara IAM/SSO gateway exposing the unauthenticated AES encryption/decryption oracle.

Sources

• ghsahttps://github.com/advisories/GHSA-3897-2crh-vgmr
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-50086
• google-searchhttps://github.com/xn0tsa/theres-no-place-like-home
• google-searchhttps://www.runzero.com/advisories/aqara-unauth-aes-oracle-cve-2026-50086