Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-50084

CVE-2026-50084: Aqara Cloud API Auth Bypass Vulnerability

CVE-2026-50084 is an authorization bypass flaw in Aqara Cloud Production API that allows any valid developer token to access any account. This article covers the technical details, affected systems, and mitigation strategies.

Published:

CVE-2026-50084 Overview

CVE-2026-50084 is a missing authorization vulnerability [CWE-862] in the Aqara Cloud Production API endpoint at open-cn.aqara.com/v3.0/open/api. The API accepts any valid developer token and grants access to any account, regardless of ownership. An attacker with a legitimate developer token can read or modify data belonging to arbitrary Aqara users.

The issue chains with CVE-2026-50082, CVE-2026-50083, and CVE-2026-50085 to enable fully unauthenticated remote takeover of affected Aqara smart home devices.

Critical Impact

A low-privilege developer token bypasses account isolation and exposes every Aqara cloud account to remote control and data theft.

Affected Products

  • Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api)
  • Aqara smart home devices managed through the Aqara cloud
  • Aqara developer platform tenants

Discovery Timeline

  • 2026-06-12 - CVE-2026-50084 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-50084

Vulnerability Analysis

The Aqara Cloud Production API authenticates requests using developer tokens issued through the Aqara open platform. The API verifies that the token is valid and active. It does not verify that the token's owner is authorized to act on the target account or device.

An attacker registers as a developer, obtains a token through the normal onboarding flow, and then submits API requests referencing arbitrary account identifiers or device identifiers. The backend returns data and accepts commands without enforcing object-level access control. This is a textbook instance of Broken Object Level Authorization (BOLA) at the cloud control plane.

When combined with the sibling CVEs in the disclosure, the developer token requirement falls away entirely, producing an unauthenticated path from the public internet to device control.

Root Cause

The API performs authentication checks but omits authorization checks tying the calling principal to the requested resource. The Aqara backend treats a valid developer token as sufficient evidence for any cross-tenant operation.

Attack Vector

The attack vector is network-based and requires only a low-privilege developer token, which Aqara issues to anyone who registers on the open platform. No user interaction is required, and the scope change reflects that a developer-tier credential reaches data and devices owned by unrelated end users.

The vulnerability is described in prose only. See the RunZero Security Advisory and the GitHub PoC Repository for request-level technical details.

Detection Methods for CVE-2026-50084

Indicators of Compromise

  • Outbound HTTPS traffic from internal hosts or unusual geographies to open-cn.aqara.com outside expected developer workflows.
  • Aqara device state changes, pairing events, or configuration updates that do not correlate with end-user actions in the Aqara mobile app.
  • Cloud audit entries showing the same developer token operating across many unrelated account identifiers.

Detection Strategies

  • Inspect proxy and DNS logs for requests to open-cn.aqara.com/v3.0/open/api originating from systems that should not host Aqara integrations.
  • Correlate Aqara device event histories with user-driven activity to surface commands that lack a corresponding user session.
  • For organizations running Aqara integrations, alert on developer tokens issuing requests against account IDs outside the registered tenant scope.

Monitoring Recommendations

  • Forward Aqara webhook and device event logs to a central log store for retention and correlation.
  • Track baseline API call patterns per developer token and flag deviations in target account diversity.
  • Monitor smart-lock, camera, and sensor devices for state transitions outside business hours.

How to Mitigate CVE-2026-50084

Immediate Actions Required

  • Rotate or revoke any Aqara developer tokens stored in code repositories, CI systems, or operational tooling.
  • Restrict outbound network access to open-cn.aqara.com to only the hosts that require it.
  • Audit Aqara accounts and connected devices for unexpected pairings, automations, or shared users.

Patch Information

The vulnerability resides in Aqara's cloud service, so remediation is delivered server-side by the vendor rather than through a device firmware update. Refer to the RunZero Security Advisory for the current vendor response status. No vendor advisory URL was published in the NVD record at the time of writing.

Workarounds

  • Disable or remove Aqara cloud integrations from sensitive environments until the vendor confirms server-side authorization fixes.
  • Place Aqara hubs and devices on an isolated network segment with no access to corporate resources.
  • Review and minimize the scopes granted to any developer tokens that must remain active.
bash
# Example: block outbound access to the affected API endpoint
iptables -A OUTPUT -d open-cn.aqara.com -p tcp --dport 443 -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.