CVE-2026-50084

CRITICAL 9.6

Aqara API cross-account access

CVSS Score

9.6

EPSS Score

0.0%

EPSS Percentile

0th

The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.

CWE	CWE-862
Vendor	aqara
Product	cloud production api
Published	Jun 12, 2026
Last Updated	Jun 12, 2026

Stay Ahead of the Next One

Get instant alerts for aqara cloud production api

Be the first to know when new critical vulnerabilities affecting aqara cloud production api are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

Aqara / Cloud Production API

2026-04-20 < 0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/xn0tsa/theres-no-place-like-home runzero.com: https://www.runzero.com/advisories/aqara-api-access-cve-2026-50084

Credits

Sammy Azdoufal Tod Beardsley of runZero, Inc.