How is CVE-2026-50087 exploited?

Network reachability (required): The gateway is exposed over the network; an attacker must be able to direct HTTP requests at the service from a remote origin. Authentication (not-required): No credentials or account are needed to initiate the cross-origin request. Victim interaction (required): A victim must visit or be lured to an attacker-controlled web page that issues the malicious cross-origin request from their browser session. Attack complexity (info): Attack complexity is low; the exploit is reliable and requires no special environmental conditions, race timing, or memory layout knowledge.

What is the impact of CVE-2026-50087?

An attacker reads high-confidentiality data from the IAM/SSO gateway, including session tokens, identity assertions, or other authentication artifacts tied to the victim's active session. An attacker makes limited modifications to gateway-held data (integrity impact is low), such as altering profile fields or injecting short-lived state values. Because the scope is changed (S:C), the impact extends beyond the gateway itself, meaning harvested tokens or modified state can be used to pivot into other services that trust the SSO gateway.

Back to search

HIGHCVE-2026-50087Published 2026-06-12Modified 2026-06-12CNA runZero

CVE-2026-50087: Aqara IAM/SSO Gateway cross-origin resource sharing

The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: 0
Affected Products: 1

HarborGuard Analysis

Synopsis

A permissive cross-origin resource sharing (CORS) misconfiguration affects the Aqara IAM/SSO Gateway (gw-builder.aqara.com). The vulnerability is reachable over the network and requires no authentication, but does require a victim to visit an attacker-controlled page in a browser. Successful exploitation allows an attacker to read sensitive data from the gateway and make limited modifications, effectively enabling cross-origin session or credential theft. No fix version has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-50087 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the Aqara IAM/SSO Gateway. Any image found running an affected version is flagged immediately.

Available

Triage

Triage is available with CVSS v3.1 scoring at 8.2 (HIGH), surfaced alongside each customer org's compliance policy weights to determine priority routing. Findings are directed to the appropriate team inbox within each customer environment based on configured ownership rules.

Available

Patch

Because no upstream fix has been released, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is published. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Available

Exploit Conditions

Network reachabilityRequired
The gateway is exposed over the network; an attacker must be able to direct HTTP requests at the service from a remote origin.
AuthenticationNot required
No credentials or account are needed to initiate the cross-origin request.
Victim interactionRequired
A victim must visit or be lured to an attacker-controlled web page that issues the malicious cross-origin request from their browser session.
Attack complexityDetail
Attack complexity is low; the exploit is reliable and requires no special environmental conditions, race timing, or memory layout knowledge.

Blast Radius

An attacker reads high-confidentiality data from the IAM/SSO gateway, including session tokens, identity assertions, or other authentication artifacts tied to the victim's active session.
An attacker makes limited modifications to gateway-held data (integrity impact is low), such as altering profile fields or injecting short-lived state values.
Because the scope is changed (S:C), the impact extends beyond the gateway itself, meaning harvested tokens or modified state can be used to pivot into other services that trust the SSO gateway.

How HarborGuard Handles This

Available on HarborGuard: this CVE has no upstream fix as of publication, so the focus is on detection and compensating controls. Images containing the affected Aqara IAM/SSO Gateway are flagged automatically as matching scans complete. While awaiting a vendor patch, customers can apply network-policy isolation to restrict which origins are permitted to reach the gateway, configure egress filtering to block unexpected cross-origin responses from leaving the service perimeter, and review any feature-flag or configuration options in the gateway that govern CORS policy to tighten allowed origins. HarborGuard will re-evaluate the advisory on every ingest cycle; when an upstream fix is published, a patched-image rebuild becomes available immediately, and for customers with auto-remediation enabled, a regression-tested PR is opened against affected workloads without manual intervention.

See how HarborGuard automates this

Fix available

Affected packages

Aqara / Aqara IAM/SSO Gateway
< 0 (from 2026-04-20)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available