Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-50085

CVE-2026-50085: Aqara Board Service Auth Bypass Flaw

CVE-2026-50085 is an authentication bypass vulnerability in Aqara Board service that allows unauthenticated MQTT command injection. This flaw can lead to remote device takeover when chained with other CVEs.

Published:

CVE-2026-50085 Overview

CVE-2026-50085 is a missing authentication vulnerability in the Aqara Board service hosted at op-test.aqara.com. The service accepts arbitrary MQTT command payloads from remote clients and forwards them to the platform's HiveMQ broker without verifying the sender. This flaw is tracked under CWE-306: Missing Authentication for Critical Function. When chained with CVE-2026-50082, CVE-2026-50083, and CVE-2026-50084, an unauthenticated remote attacker can take over affected Aqara IoT devices. The issue was disclosed in a RunZero Security Advisory with an accompanying GitHub PoC Repository.

Critical Impact

Unauthenticated attackers can inject arbitrary MQTT commands into the Aqara IoT platform, enabling remote device takeover when combined with related advisories.

Affected Products

  • Aqara Board debug service at op-test.aqara.com
  • Aqara IoT platform HiveMQ MQTT broker
  • Aqara smart home devices connected through the platform

Discovery Timeline

  • 2026-06-12 - CVE-2026-50085 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-50085

Vulnerability Analysis

The Aqara Board service at op-test.aqara.com exposes a debug API that accepts MQTT command payloads from arbitrary network clients. The service then relays those payloads to the platform's HiveMQ broker without performing any authentication or authorization check on the originating request. Any remote attacker who can reach the HTTPS endpoint can publish commands to internal MQTT topics. Those topics control device-side logic across the Aqara IoT fleet, so injected payloads reach production devices that trust messages from the broker.

Root Cause

The root cause is the absence of authentication on a critical relay function ([CWE-306]). The Board service treats its inbound HTTP interface as a trusted control channel, yet it is exposed to the public internet. Because the broker accepts forwarded messages as authoritative, the missing check at the front-end breaks the trust boundary between external clients and the internal MQTT fabric.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker sends a crafted HTTP request containing an MQTT command payload to the debug endpoint. The Board service forwards the payload to HiveMQ, which distributes it to subscribed devices. By chaining CVE-2026-50085 with CVE-2026-50082, CVE-2026-50083, and CVE-2026-50084, the attacker can issue device-targeted commands that result in full remote takeover. See the RunZero Security Advisory and the GitHub PoC Repository for the exploit chain details.

Detection Methods for CVE-2026-50085

Indicators of Compromise

  • Outbound HTTPS requests to op-test.aqara.com from hosts that are not Aqara development systems.
  • Unexpected MQTT PUBLISH events on Aqara device topics that did not originate from the cloud control plane.
  • Aqara devices executing configuration changes, firmware operations, or command sequences without a corresponding user action in the mobile app.

Detection Strategies

  • Inspect network telemetry for connections to Aqara debug subdomains and correlate with device behavior changes.
  • Monitor MQTT broker logs for command messages whose payload structure matches the PoC published in the GitHub repository.
  • Baseline normal device command frequency and alert on bursts of administrative MQTT topics.

Monitoring Recommendations

  • Forward IoT segment NetFlow and DNS logs to a centralized analytics platform for retention and search.
  • Enable broker-side audit logging on any internal MQTT infrastructure and review for unauthenticated publishers.
  • Track device firmware and configuration state to detect unauthorized modifications that may follow exploitation.

How to Mitigate CVE-2026-50085

Immediate Actions Required

  • Block egress to op-test.aqara.com from production and IoT network segments until Aqara confirms remediation.
  • Isolate Aqara devices on a dedicated VLAN with restrictive ACLs that limit inbound and outbound traffic to known cloud endpoints.
  • Review device logs and configuration state for unexpected command activity consistent with the disclosed PoC.

Patch Information

No vendor patch URL is listed in the NVD entry at publication. Operators should monitor Aqara security communications and the RunZero Security Advisory for fix availability. Because the vulnerable component is a vendor-hosted cloud service, remediation depends primarily on Aqara enforcing authentication on the Board service and restricting public exposure.

Workarounds

  • Place Aqara devices behind a network segment that denies traffic from untrusted sources and inspects outbound TLS metadata.
  • Disable or restrict any optional cloud integrations not required for daily operation to reduce attack surface.
  • Apply egress filtering that allows only documented Aqara production hostnames, blocking debug and test subdomains.
bash
# Example egress filter to block the vulnerable debug endpoint
iptables -A FORWARD -m string --string "op-test.aqara.com" --algo bm -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.