How is CVE-2026-50090 exploited?

Network reachability (required): The vulnerable OAuth endpoint is exposed over the internet; the attacker must be able to send the victim a crafted URL that reaches open-cn.aqara.com over the network. Authentication (not-required): No account or credential is needed to craft or deliver the malicious authorization request. Victim interaction (required): The victim must follow a crafted OAuth authorization link, making this a social-engineering vector where the attacker tricks the user into clicking the URL. Attack complexity (info): Attack complexity is low; the exploit requires no race condition, special memory layout, or environmental prerequisite beyond delivering the malicious link.

What is the impact of CVE-2026-50090?

Attacker captures OAuth authorization codes redirected to an attacker-controlled URI, enabling full account takeover on any service the victim authorized. Attacker obtains valid access tokens and can read private device data, automation rules, and any personal information exposed through the Aqara Cloud API. Attacker can issue authenticated API requests on behalf of the victim, modifying device configurations, automation schedules, and account-linked settings.

Back to search

CRITICALCVE-2026-50090Published 2026-06-12Modified 2026-06-12CNA runZero

CVE-2026-50090: Aqara OAuth redirect_uri validation bypass

The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical).

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: 0
Affected Products: 1

HarborGuard Analysis

Synopsis

An OAuth redirect_uri validation bypass affects the Aqara Cloud OAuth Authorization Endpoint at open-cn.aqara.com/oauth/authorize. The endpoint is reachable over the network without authentication, but a victim must follow a crafted authorization link for the attack to succeed. Successful exploitation lets an attacker steal OAuth authorization codes and access tokens, and tamper with OAuth-linked account data. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-50090 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images. Any image shipping the affected Aqara OAuth endpoint code is flagged automatically on each pipeline run.

Available

Triage

HarborGuard is capable of scoring this CVE at 9.3 Critical (CVSS v3.1) and weighting that score against each customer environment's compliance policy to set ticket priority. Triage routing to the appropriate team inbox within each customer org is available as part of the standard policy-engine workflow.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a fix. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable OAuth endpoint is exposed over the internet; the attacker must be able to send the victim a crafted URL that reaches open-cn.aqara.com over the network.
AuthenticationNot required
No account or credential is needed to craft or deliver the malicious authorization request.
Victim interactionRequired
The victim must follow a crafted OAuth authorization link, making this a social-engineering vector where the attacker tricks the user into clicking the URL.
Attack complexityDetail
Attack complexity is low; the exploit requires no race condition, special memory layout, or environmental prerequisite beyond delivering the malicious link.

Blast Radius

Attacker captures OAuth authorization codes redirected to an attacker-controlled URI, enabling full account takeover on any service the victim authorized.
Attacker obtains valid access tokens and can read private device data, automation rules, and any personal information exposed through the Aqara Cloud API.
Attacker can issue authenticated API requests on behalf of the victim, modifying device configurations, automation schedules, and account-linked settings.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-50090 at this time, HarborGuard monitors the Aqara advisory on every ingest cycle and will make a patched-image rebuild available automatically when the vendor ships a fix. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual steps the moment a fix version is published. While no patch is available, compensating controls worth considering include network-policy rules that restrict outbound OAuth redirect traffic to explicitly allow-listed domains, egress filtering at the container or service-mesh layer to block redirects to unrecognized hosts, and temporary feature-flag gating of OAuth authorization flows for deployments where the risk exposure is unacceptable. HarborGuard will surface the rebuild option in the CVE detail panel as soon as upstream availability is confirmed.

See how HarborGuard automates this

Fix available

Affected packages

Aqara / Cloud OAuth Authorization Endpoint
< 0 (from 2026-04-20)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available