HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-50085Published Modified CNA runZero

CVE-2026-50085: Aqara Board IoT insecure debug API

The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.

Metrics

CVSS v3.1
8.6
Severity
HIGH
Fixed in
0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Missing authentication on a critical function in the Aqara Board IoT service (op-test.aqara.com) allows any network-accessible attacker to submit arbitrary MQTT command payloads that are forwarded directly to the platform's HiveMQ broker without any authentication check. The attack requires no credentials and no victim interaction, and successful exploitation enables partial data disclosure, significant data and state tampering, and partial service disruption on affected devices. When chained with CVE-2026-50082, CVE-50083, and CVE-50084, this vulnerability can result in fully unauthenticated remote device takeover. No upstream fix version is currently available; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-50085 is available across every HarborGuard environment: the CVE record is ingested from upstream advisory feeds within minutes of publication and matched against all images in customer registries and CI/CD pipelines, including custom-built images that incorporate Aqara Board service components.

Available
Triage

Triage capability is available with the CVSS v3.1 base score of 8.6 (HIGH) applied automatically, weighted against each environment's compliance policy to determine urgency and priority routing to the appropriate team inbox within each customer organization.

Available
Patch

Because no upstream fix version exists for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is published. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable debug API endpoint is exposed over the network, so an attacker must be able to reach op-test.aqara.com or the HiveMQ broker from the internet or any connected network segment.

  • AuthenticationNot required

    No credentials of any kind are checked before MQTT command payloads are accepted and forwarded; any unauthenticated sender can exploit this function.

  • Victim interactionNot required

    The attacker sends payloads directly to the service endpoint and no action from a logged-in user or device owner is needed.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and imposes no special timing, race conditions, or environmental prerequisites on the attacker.

Blast Radius

  • A successful attacker reads platform metadata and any low-sensitivity data exposed through the unauthenticated MQTT channel (Confidentiality: Low).
  • A successful attacker writes arbitrary MQTT command payloads to the HiveMQ broker, modifying device state, configuration, and persisted command queues (Integrity: High).
  • A successful attacker disrupts availability of affected devices or broker connections, causing partial service outages (Availability: Low).
  • When combined with CVE-2026-50082, CVE-50083, and CVE-50084, a successful attacker achieves full unauthenticated remote takeover of affected Aqara Board devices.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-50085 as of the CVE publication date of 2026-06-12, the platform monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment an upstream fix version is released. For customers who opt into auto-remediation, that rebuild will be followed by a regression test run and a PR opened against affected workloads with no manual intervention required. While no patch is available, compensating controls worth evaluating include network-policy isolation to restrict egress from container workloads to op-test.aqara.com and the HiveMQ broker endpoints, egress filtering at the cluster or host level to block unauthorized MQTT (port 1883/8883) traffic, and feature-flag gating to disable any service components that initiate outbound connections to the affected Aqara Board service until a fix is available. Customers should also assess exposure from the related chain vulnerabilities (CVE-2026-50082, CVE-50083, CVE-50084) given that combined exploitation leads to full device takeover.

See how HarborGuard automates this

Fix available

0
Affected packages
  • Aqara / Board service
    < 0 (from 2026-04-20)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
References