HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-50084Published Modified CNA runZero

CVE-2026-50084: Aqara API cross-account access

The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Missing authorization in the Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) allows any authenticated developer token to access any user account, regardless of ownership. The vulnerability is reachable over the network by any holder of a valid developer token, with no victim interaction required, and carries a CVSS v3.1 score of 9.6 Critical due to its cross-tenant, changed-scope impact. Successful exploitation gives an attacker full read and write access to any Aqara account, and when chained with related CVEs (CVE-2026-50082, CVE-2026-50083, CVE-2026-50085), enables fully unauthenticated remote device takeover. No vendor fix version has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-50084 is available across every HarborGuard environment, with ingestion from upstream feeds and the CNA advisory typically completing within minutes of publication. Matching runs against all images in customer registries and CI/CD pipelines, including internally built images that bundle or depend on Aqara API client code.

Available
Triage

HarborGuard is capable of scoring this finding at its published CVSS v3.1 severity of 9.6 Critical and weighting it against each customer organization's compliance policy to determine urgency and escalation path. Routing to the appropriate team inbox within each customer org is handled automatically based on policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Aqara advisory on every ingest cycle and will make a patched-image rebuild available the moment the vendor ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable API endpoint is exposed over the internet, so an attacker must be able to reach it over the network.

  • AuthenticationRequired

    Any valid Aqara developer token is sufficient; the attacker does not need elevated or administrative privileges, but must hold at least a low-privilege developer credential.

  • Victim interactionNot required

    The attacker targets the API directly; no action from an account owner or any other user is needed.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory layout knowledge.

Blast Radius

  • Reads all data stored in any targeted Aqara user account, including device configurations, automation rules, location data, and stored credentials or tokens.
  • Modifies account settings, automation rules, and device state for any account reachable via the API.
  • When chained with CVE-2026-50082, CVE-2026-50083, and CVE-2026-50085, enables a fully unauthenticated attacker to issue commands to and take over any connected Aqara smart-home device.
  • The changed-scope (S:C) rating means impact extends beyond the vulnerable API component itself to the broader set of devices and data under every affected account.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active and matched against all images in customer registries and pipelines. Because the Aqara vendor has not yet released a fix, no patched-image rebuild is currently available; HarborGuard will generate the rebuild and, for customers with auto-remediation enabled, open a regression-tested PR against affected workloads the moment an upstream fix is published. In the interim, customers are advised to apply network-policy isolation to any services that embed or proxy Aqara API calls, restrict outbound egress to the Aqara API endpoint to known-good service identities only, and audit all developer tokens currently issued to limit exposure surface. The related CVE chain (CVE-2026-50082, CVE-2026-50083, CVE-2026-50085) should be reviewed alongside this finding given the combined unauthenticated-takeover risk.

See how HarborGuard automates this

Fix available

0
Affected packages
  • Aqara / Cloud Production API
    < 0 (from 2026-04-20)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
References