Aqara IAM/SSO Gateway Uses Hardcoded OAuth Client Credential (CVE-2026-50083)

critical-cve-against-infra · active

The Aqara IAM/SSO Gateway (gw-builder.aqara.com) shipped with a hardcoded OAuth client credential (CWE-798), rated critical (CVSS 9.1). When chained with related Aqara vulnerabilities, it can enable a fully unauthenticated, remote takeover of affected smart-home devices.

Affected packages

Indicators of compromise

• domaingw-builder.aqara.comAqara IAM/SSO Gateway host using a hardcoded OAuth client credential

Sources

• ghsahttps://github.com/advisories/GHSA-h5g5-hrhr-3ph4
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-50083
• google-searchhttps://github.com/xn0tsa/theres-no-place-like-home
• google-searchhttps://www.runzero.com/advisories/aqara-hardcoded-oauth-cve-2026-50083