HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-50088Published Modified CNA runZero

CVE-2026-50088: Aqara Developer Portal cross-origin resource sharing

The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).

Metrics

CVSS v3.1
8.2
Severity
HIGH
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A permissive cross-origin resource sharing (CORS) misconfiguration affects the Aqara Developer Portal (developer.aqara.com) and its shared test environments (developer-test.aqara.com, aiot-test.aqara.com). The flaw is reachable over the network with no authentication required, but does require a victim to interact with an attacker-controlled page. Successful exploitation allows a remote origin to read high-sensitivity data from the portal and make limited modifications on behalf of an authenticated user. No fix version has been published; HarborGuard tracks the advisory and will make a patched rebuild available as soon as the upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-50088 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle or depend on Aqara Developer Portal components. Any image flagged as running an affected version surfaces immediately in the scan results dashboard and CI pipeline gate.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 8.2 (High) and applying per-environment compliance policy weighting to adjust priority where customers have defined their own risk tolerances. Triage findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream vendor ships a fix. In the interim, customers can apply compensating controls through HarborGuard network-policy recommendations, such as egress filtering and origin restriction at the ingress layer, to reduce exposure while awaiting the vendor patch.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the affected portal endpoints over the network; the service is internet-exposed at developer.aqara.com and its test subdomains.

  • AuthenticationNot required

    No account or credentials are needed to initiate the cross-origin request against the vulnerable endpoints.

  • Victim interactionRequired

    A legitimate authenticated user must visit an attacker-controlled page, which then issues cross-origin requests to the portal on the victim's behalf.

  • Attack complexityDetail

    Attack complexity is low; the exploit requires no special race conditions, memory layout dependencies, or environmental prerequisites beyond luring a victim to an attacker-controlled origin.

Blast Radius

  • Reads sensitive data returned by the Developer Portal API, including developer credentials, device configuration details, and session-scoped tokens belonging to the authenticated victim.
  • Makes limited modifications to portal state on behalf of the victim, such as altering device settings or registered application configurations, within the scope of the victim's session.
  • The scope impact extends beyond the vulnerable origin (Scope: Changed), meaning data and actions from the portal context can be surfaced to a third-party attacker-controlled domain.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-50088 as of its publication date of 2026-06-12, the platform monitors the Aqara advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a pull request against affected workloads the moment a fix version is published. While awaiting the vendor patch, HarborGuard surfaces compensating-control recommendations including enforcing strict Content-Security-Policy and CORS headers at the ingress or API-gateway layer, applying network policies to restrict which internal origins can communicate with Aqara portal endpoints, and flagging any images that expose the affected portal surface in internet-reachable deployments for expedited manual review.

See how HarborGuard automates this

Fix available

0
Affected packages
  • Aqara / Aqara Developer Portal
    < 0 (from 2026-04-20)
  • Aqara / Aqara Developer Test Portal
    < 0 (from 2026-04-20)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
References