HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-50083Published Modified CNA runZero

CVE-2026-50083: Aqara hardcoded OAuth client credentials

The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a hardcoded-credentials vulnerability in the Aqara IAM/SSO Gateway (gw-builder.aqara.com). The gateway embeds a fixed OAuth client credential that any remote, unauthenticated attacker can extract and reuse, reachable over the network with no authentication or victim interaction required. Successful exploitation exposes sensitive account data and allows an attacker to modify configuration or identity state; when chained with related CVEs (CVE-2026-50082, CVE-50084, CVE-50085), it enables full unauthenticated remote device takeover. No upstream fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment one is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-50083 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that bundle the Aqara IAM/SSO Gateway.

Available
Triage

Triage is available using the recorded CVSS v3.1 score of 9.1 (Critical) derived from the published vector, weighted against each customer organization's per-environment compliance policy. Findings are routed to the appropriate inbox within each customer org based on configured severity thresholds and ownership rules.

Available
Patch

Because no upstream fix version exists for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment upstream publishes a corrected release. In the meantime, customers can apply compensating controls through HarborGuard network-policy recommendations to isolate the affected gateway service from broad network exposure.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Aqara IAM/SSO Gateway over the network; the service exposes the vulnerable OAuth endpoint remotely (AV:N).

  • AuthenticationNot required

    No account or credential is needed to exploit this vulnerability; the hardcoded OAuth client secret is available to any unauthenticated caller (PR:N).

  • Victim interactionNot required

    No user action is required; the attacker interacts directly with the gateway endpoint without any social-engineering step (UI:N).

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, memory layout dependencies, or environmental prerequisites apply (AC:L).

Blast Radius

  • An attacker reads identity and session data managed by the IAM/SSO Gateway, including OAuth tokens and associated account records (C:H).
  • An attacker modifies identity configuration, user bindings, or authorization state within the gateway (I:H).
  • When chained with CVE-2026-50082, CVE-50084, and CVE-50085, an attacker achieves full unauthenticated remote takeover of affected Aqara devices without any prior foothold.
  • Availability of the gateway service is not directly impacted by this CVE in isolation (A:N).

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged as Critical (CVSS 9.1) and ingested immediately upon publication, with matching applied against all customer images that include the Aqara IAM/SSO Gateway. Because no upstream patch exists as of the publication date (2026-06-12), HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically once Aqara ships a fix. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention, gated on each organization's compliance policy. While no patch is available, recommended compensating controls include applying Kubernetes network policies or firewall rules to restrict inbound access to the gateway to trusted sources only, enabling egress filtering to prevent the gateway from reaching unauthorized OAuth consumers, and auditing any existing OAuth tokens issued through the gateway for signs of unauthorized use.

See how HarborGuard automates this

Fix available

0
Affected packages
  • Aqara / Aquara IAM/SSO Gateway
    < 0 (from 2026-04-20)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References