Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-50090

CVE-2026-50090: Aqara Cloud OAuth Bypass Vulnerability

CVE-2026-50090 is an authentication bypass flaw in Aqara Cloud OAuth Authorization Endpoint that allows redirect attacks through improper domain validation. This post covers the technical details, impact, and mitigation.

Published:

CVE-2026-50090 Overview

CVE-2026-50090 is an OAuth redirect validation bypass affecting the Aqara Cloud authorization endpoint at open-cn.aqara.com/oauth/authorize. The flaw stems from lax domain matching during the redirect URI validation step. Attackers can craft authorization requests that redirect victims to attacker-controlled hosts while still appearing to originate from the legitimate Aqara OAuth flow. The issue is tracked under [CWE-1289: Improper Validation of Unsafe Equivalence in Input].

Critical Impact

Successful exploitation allows attackers to steal OAuth authorization codes or access tokens. This grants account takeover capability against Aqara smart home accounts and connected IoT devices.

Affected Products

  • Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize)
  • Third-party integrations relying on Aqara Cloud OAuth for account linking
  • Aqara smart home accounts and connected IoT devices using OAuth-based authentication

Discovery Timeline

  • 2026-06-12 - CVE-2026-50090 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-50090

Vulnerability Analysis

The Aqara Cloud OAuth authorization endpoint validates the redirect_uri parameter using insufficient string matching. Instead of enforcing strict equality against a pre-registered allowlist of redirect URIs, the endpoint accepts variations that resolve to attacker-controlled domains. This pattern matches [CWE-1289], where input that is semantically unsafe is treated as equivalent to a trusted value.

The vulnerability falls under the Authorization Bypass and Open Redirect categories. It abuses a foundational OAuth 2.0 control: the redirect URI binds the authorization response to a trusted client endpoint. When that binding fails, the authorization code can be delivered to any host the attacker chooses.

The attack requires user interaction. A victim must click a crafted authorization link while authenticated to Aqara Cloud. The scope is Changed, reflecting that the issued tokens grant access to resources beyond the OAuth endpoint itself, including device control APIs.

Root Cause

The root cause is improper validation of equivalence in the redirect_uri parameter. Domain comparison logic does not enforce exact-match semantics. Variants such as subdomain confusion, suffix matching, or path manipulation are accepted as equivalent to the registered redirect URI. This permits an attacker-controlled origin to receive the OAuth authorization response.

Attack Vector

An attacker registers or controls a domain that satisfies the loose matching rules. The attacker then distributes an authorization URL pointing at open-cn.aqara.com/oauth/authorize with a redirect_uri parameter aimed at the attacker domain. A victim authenticated to Aqara clicks the link and approves the request. The authorization code is delivered to the attacker, who exchanges it for an access token and assumes control of the victim's account.

The vulnerability mechanism is documented in the public proof-of-concept and advisory. See the GitHub PoC Repository and the RunZero Security Advisory for request-level technical details.

Detection Methods for CVE-2026-50090

Indicators of Compromise

  • Outbound HTTP requests to open-cn.aqara.com/oauth/authorize containing redirect_uri parameters pointing at domains outside the official Aqara client allowlist.
  • OAuth authorization codes or tokens being delivered to hosts that do not match registered Aqara integration partners.
  • Unexpected Aqara account activity such as new device pairings, automation changes, or session creations from unfamiliar geolocations.

Detection Strategies

  • Inspect proxy and DNS logs for authorization requests to open-cn.aqara.com and flag mismatches between the client_id and the redirect_uri host.
  • Monitor email and messaging gateways for links containing the Aqara authorization path combined with non-Aqara redirect targets.
  • Correlate Aqara account login or device-control events against expected user geolocation and device fingerprints.

Monitoring Recommendations

  • Alert on user clicks from corporate endpoints to OAuth authorization URLs where the redirect_uri host does not match a known partner domain.
  • Track creation of new OAuth grants on Aqara accounts and surface grants tied to unrecognized client applications.
  • Capture and retain full URL query strings in web proxy logs to support retrospective investigation of redirect parameters.

How to Mitigate CVE-2026-50090

Immediate Actions Required

  • Treat unsolicited Aqara authorization links as phishing and block delivery at email and messaging gateways.
  • Revoke active OAuth grants on Aqara accounts that show unrecognized client applications or recent authorization events.
  • Rotate Aqara account credentials and require multi-factor authentication for account holders managing connected devices.

Patch Information

No vendor patch advisory has been published in the enriched NVD record at the time of writing. Remediation must occur on the Aqara Cloud side by enforcing exact-match validation of registered redirect URIs. Refer to the RunZero Security Advisory for ongoing status and disclosure details.

Workarounds

  • Restrict outbound access to open-cn.aqara.com/oauth/authorize from corporate networks where Aqara integration is not required.
  • Educate users to avoid clicking Aqara authorization links received from untrusted sources, even if the initial domain appears legitimate.
  • For partner integrations, validate the redirect_uri value client-side before initiating the OAuth flow and reject any deviations from the expected exact string.
bash
# Example proxy rule: alert when Aqara OAuth redirect_uri targets a non-allowlisted host
# Pseudocode for a web proxy or SIEM correlation rule
if request.host == "open-cn.aqara.com" \
   and request.path == "/oauth/authorize" \
   and parse_query(request.url).redirect_uri.host not in AQARA_ALLOWLIST:
    alert("Potential CVE-2026-50090 OAuth redirect abuse", severity="high")

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.