CVE-2026-50084
published 2026-06-12CVE-2026-50084: The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of…
PriorityP263critical9.6CVSS 3.1
AVNACLPRLUINSCCHIHAN
EPSS
0.21%
11.5th percentile
The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aqara | board_service | >= 2026-04-20 < 0 | 0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Aqara Cloud Production API up to 3.0/3.1/9.6 authorization
vuldb·2026-06-12·CVSS 9.6
CVE-2026-50084 [CRITICAL] Aqara Cloud Production API up to 3.0/3.1/9.6 authorization
A vulnerability has been found in Aqara Cloud Production API up to 3.0/3.1/9.6 and classified as critical. This affects an unknown part. The manipulation leads to missing authorization.
This vulnerability is referenced as CVE-2026-50084. Remote exploitation of the attack is possible. No exploit is available.
GHSA
The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account.
ghsa_unreviewed·2026-06-12·CVSS 6.5
CVE-2026-50084 [MEDIUM] CWE-862 The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account.
The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
GHSA
The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker.
ghsa_unreviewed·2026-06-12·CVSS 9.1
CVE-2026-50082 [CRITICAL] CWE-306 The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker.
The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5 Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, any otherwise-unauthenticated attacker could execute a full takeover of affected devices.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-12
Published