Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-50087

CVE-2026-50087: Aqara IAM/SSO Gateway CSRF Vulnerability

CVE-2026-50087 is a cross-site request forgery flaw in Aqara IAM/SSO Gateway that enables unauthorized cross-origin requests. This article covers the technical details, security impact, and mitigation strategies.

Published:

CVE-2026-50087 Overview

CVE-2026-50087 is a permissive Cross-Origin Resource Sharing (CORS) vulnerability in the Aqara Identity and Access Management (IAM) and Single Sign-On (SSO) gateway hosted at gw-builder.aqara.com. The flaw is classified as [CWE-942: Permissive Cross-domain Policy with Untrusted Domains]. The gateway accepts cross-origin requests from untrusted domains, allowing attacker-controlled web pages to issue authenticated requests against the Aqara IAM/SSO service. Successful exploitation leads to disclosure of sensitive account and session data belonging to authenticated Aqara users.

Critical Impact

An attacker who lures an authenticated Aqara user to a malicious web page can read sensitive responses from the IAM/SSO gateway across origins, exposing identity tokens and account information.

Affected Products

  • Aqara IAM/SSO gateway at gw-builder.aqara.com
  • Aqara cloud services relying on the affected SSO endpoint
  • Aqara user accounts authenticated to the gateway

Discovery Timeline

  • 2026-06-12 - CVE-2026-50087 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-50087

Vulnerability Analysis

The Aqara IAM/SSO gateway returns CORS response headers that reflect or broadly accept untrusted origins while also permitting credentials. Browsers therefore allow JavaScript running on an attacker domain to read responses from gw-builder.aqara.com after the victim's cookies or bearer tokens are attached. Because the endpoint serves identity and session data, the leaked responses include material sufficient to impersonate the user or access linked smart-home resources.

The issue is a configuration flaw rather than a memory safety bug. The gateway pairs Access-Control-Allow-Origin reflection with Access-Control-Allow-Credentials: true, which is the canonical [CWE-942] pattern. User interaction is required because the victim must visit the attacker-controlled page while authenticated to Aqara.

Root Cause

The root cause is an overly permissive CORS configuration on the IAM/SSO gateway. The server fails to validate the Origin header against an allowlist of trusted Aqara domains before echoing it into the Access-Control-Allow-Origin response header. Combined with credential-bearing requests, this removes the same-origin policy boundary that normally protects authenticated API responses.

Attack Vector

Exploitation proceeds over the network and requires the victim to load attacker-controlled content in a browser session where they are signed in to Aqara. The attacker hosts a page that issues fetch or XMLHttpRequest calls with credentials: 'include' against the vulnerable endpoint. The browser attaches the victim's session, the gateway returns sensitive data with permissive CORS headers, and the attacker's script reads the response and exfiltrates it. Proof-of-concept material is published in the GitHub PoC Repository and analyzed in the RunZero Security Advisory.

Detection Methods for CVE-2026-50087

Indicators of Compromise

  • Outbound HTTPS requests from user browsers to gw-builder.aqara.com originating from referrers other than legitimate Aqara web properties.
  • Server-side access logs showing preflight OPTIONS requests followed by credentialed GET/POST requests with Origin headers pointing to unknown third-party domains.
  • Authentication or session events on Aqara accounts from geolocations or user agents not previously associated with the user.

Detection Strategies

  • Inspect HTTP responses from the IAM/SSO gateway for Access-Control-Allow-Origin values that reflect arbitrary origins together with Access-Control-Allow-Credentials: true.
  • Hunt in web proxy and browser telemetry for cross-origin fetch calls targeting gw-builder.aqara.com from non-Aqara parent pages.
  • Correlate user navigation to suspicious domains with subsequent anomalous Aqara session activity to identify victims of CORS-based exfiltration.

Monitoring Recommendations

  • Alert on browser referrer or Origin header mismatches when sensitive Aqara endpoints are accessed.
  • Monitor identity provider logs for token reuse from new IP addresses shortly after a user visits an untrusted site.
  • Track changes to CORS response headers on Aqara domains so regressions in the allowlist are surfaced quickly.

How to Mitigate CVE-2026-50087

Immediate Actions Required

  • Restrict the IAM/SSO gateway to return Access-Control-Allow-Origin only for an explicit allowlist of trusted Aqara domains.
  • Disable Access-Control-Allow-Credentials: true on any endpoint that does not require cookie-based authentication across origins.
  • Invalidate active sessions and rotate tokens for users who may have visited untrusted sites while authenticated to Aqara.

Patch Information

No vendor patch identifier is listed in the NVD entry at the time of publication. Refer to the RunZero Security Advisory for the latest remediation status and any vendor communications regarding gw-builder.aqara.com.

Workarounds

  • Sign out of Aqara web sessions before browsing untrusted sites, or use a dedicated browser profile for Aqara administration.
  • Deploy browser extensions or enterprise policies that strip third-party cookies on requests to gw-builder.aqara.com.
  • Block or proxy outbound requests to the affected gateway from corporate networks until the CORS configuration is corrected.
bash
# Example nginx configuration enforcing a strict CORS allowlist
map $http_origin $cors_origin {
    default "";
    "https://www.aqara.com"        $http_origin;
    "https://account.aqara.com"    $http_origin;
}

server {
    listen 443 ssl;
    server_name gw-builder.aqara.com;

    add_header Access-Control-Allow-Origin      $cors_origin always;
    add_header Access-Control-Allow-Credentials true        always;
    add_header Vary                             Origin      always;

    if ($cors_origin = "") {
        return 403;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.