HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-50086Published Modified CNA runZero

CVE-2026-50086: Aqara unauthenticated AES oracle

The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and "CWE-327: Use of a Broken or Risky Cryptographic Algorithm," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High).

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unauthenticated AES oracle vulnerability affects the Aqara IAM/SSO gateway (gw-builder.aqara.com). The gateway exposes bidirectional AES encryption and decryption operations against the platform's signing key over the network with no authentication required, allowing any remote attacker to interact with the oracle freely. Successful exploitation gives an attacker the ability to forge, decrypt, and tamper with signed tokens and cryptographic material across the platform, compromising confidentiality, integrity, and availability at scope-changed severity. No fix version has been published; HarborGuard is tracking the advisory and will make a patched rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-50086 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that embed Aqara IAM/SSO gateway components.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 10.0 Critical (v3.1) and weighting it against each environment's compliance policy to determine breach of applicable severity thresholds; the resulting alert is routed to the inbox configured for the affected workload owner within each customer organization.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Aqara advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without any manual intervention required.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable AES oracle endpoint is exposed over the public internet, so an attacker must be able to reach gw-builder.aqara.com or any container image that embeds the gateway service on its listening port.

  • AuthenticationNot required

    No credentials or session token of any kind are required; the AES oracle accepts requests from any unauthenticated caller.

  • Victim interactionNot required

    The attacker sends crafted requests directly to the oracle endpoint; no user action, click, or social engineering is needed.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and repeatable with no race conditions, memory-layout dependencies, or environmental preconditions to satisfy.

Blast Radius

  • Reads and decrypts platform-signed tokens, session credentials, and any data protected by the exposed signing key.
  • Forges valid cryptographic signatures, allowing the attacker to impersonate arbitrary users or services across the Aqara IAM/SSO platform.
  • Modifies integrity-protected payloads by re-encrypting tampered content with the oracle, corrupting authentication and authorization decisions platform-wide.
  • Disrupts platform availability by flooding the oracle or injecting malformed signed data that causes downstream service failures across dependent systems.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-50086 at this time, the platform re-checks the Aqara advisory on every ingest cycle and will surface a patched-image rebuild the moment Aqara publishes a remediated version. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically without manual steps. While no patch is available, compensating controls worth evaluating include network-policy rules that block unauthenticated external access to the gateway's oracle endpoint, egress filtering to prevent the gateway from accepting arbitrary inbound AES requests from untrusted sources, and feature-flag or WAF-level gating to restrict the exposed cryptographic endpoint to known internal callers only. Given the CVSS 10.0 Critical score and the scope-changed impact across confidentiality, integrity, and availability, this advisory is surfaced at the highest priority tier in HarborGuard triage routing for all environments where the affected image is present.

See how HarborGuard automates this

Fix available

0
Affected packages
  • Aqara / Aqara IAM/SSO Gateway
    < 0 (from 2026-04-20)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References