CVE-2026-50086 Overview
CVE-2026-50086 affects the Aqara IAM/SSO gateway hosted at gw-builder.aqara.com. The endpoint exposes a bidirectional AES encryption and decryption oracle that uses the platform's signing key. Attackers can reach this oracle over the network without authentication. The flaw combines [CWE-306: Missing Authentication for Critical Function] with [CWE-327: Use of a Broken or Risky Cryptographic Algorithm]. An attacker can forge or decrypt signed tokens by submitting arbitrary plaintext or ciphertext to the gateway.
Critical Impact
Unauthenticated remote attackers can perform AES round-trips against the Aqara platform signing key, enabling token forgery and impersonation across the identity and single sign-on surface.
Affected Products
- Aqara IAM/SSO gateway (gw-builder.aqara.com)
- Aqara cloud identity and single sign-on services dependent on the shared signing key
- Downstream Aqara smart home services that trust IAM-issued tokens
Discovery Timeline
- 2026-06-12 - CVE-2026-50086 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-50086
Vulnerability Analysis
The Aqara IAM/SSO gateway exposes endpoints that accept arbitrary inputs and return AES-encrypted or AES-decrypted output keyed with the platform's signing key. Because the gateway omits authentication, any network client can submit data and read the cryptographic result. This converts the service into a generic oracle. An attacker can encrypt forged claims to obtain valid platform-signed tokens. The same attacker can decrypt captured tokens to recover identity material or signed session state.
Root Cause
The root cause is a design flaw rather than a memory safety bug. The gateway implements a critical cryptographic function without an authentication check, which maps directly to [CWE-306]. It also reuses the platform signing key for an attacker-controllable encryption primitive, which maps to [CWE-327]. Sharing a key across signing and bulk encryption operations breaks the security boundary that protected issued tokens.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker sends crafted HTTP requests to the public gw-builder.aqara.com endpoint. The server returns AES output under the live signing key. Repeated requests allow the attacker to build forged authentication tokens, mint arbitrary identities, or decrypt previously captured cipher material. See the RunZero Security Advisory and the GitHub PoC Repository for the request structure and reproduction steps.
Detection Methods for CVE-2026-50086
Indicators of Compromise
- Outbound connections from internal hosts or accounts to gw-builder.aqara.com that do not correspond to legitimate Aqara device provisioning activity.
- IAM/SSO sessions authenticated with tokens whose subject, audience, or issuance timestamps do not match expected user activity.
- Bursts of requests to the gateway's encrypt and decrypt endpoints from a single source address.
Detection Strategies
- Inspect web and API gateway logs for unauthenticated POST requests to Aqara IAM/SSO endpoints that return encrypted blobs.
- Correlate token issuance events with the originating client identity and flag tokens minted without a preceding interactive login.
- Hunt for token replay by tracking duplicate session identifiers seen from disparate source networks.
Monitoring Recommendations
- Forward authentication, token issuance, and gateway access logs to a centralized analytics platform for retention and search.
- Alert on any successful response from the Aqara IAM/SSO gateway that lacks a preceding authenticated session.
- Track the EPSS trajectory for CVE-2026-50086 and re-evaluate exposure as new exploitation evidence emerges.
How to Mitigate CVE-2026-50086
Immediate Actions Required
- Block egress from corporate and OT networks to gw-builder.aqara.com until Aqara confirms the oracle is closed.
- Invalidate active IAM/SSO sessions and rotate any application secrets that depend on the affected signing key.
- Audit Aqara-linked accounts for unfamiliar device enrollments, API clients, or session activity.
Patch Information
No vendor patch advisory is referenced in the published CVE record. Operators should monitor Aqara communications and the RunZero Security Advisory for fix availability and key rotation guidance.
Workarounds
- Restrict outbound network access to Aqara cloud endpoints from sensitive segments using firewall or proxy egress rules.
- Disable or unlink Aqara integrations from enterprise identity providers until the oracle is remediated.
- Require step-up authentication for any application that previously relied on Aqara IAM/SSO tokens.
# Configuration example: block egress to the vulnerable Aqara gateway
iptables -A OUTPUT -d gw-builder.aqara.com -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

