HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-50091Published Modified CNA runZero

CVE-2026-50091: Aqara Home Android SDK hardcoded keys

Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded Cryptographic Key" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical).

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a hardcoded cryptographic key vulnerability (CWE-321) in the Aqara Home Android app (com.lumiunited.aqarahome) version 6.0.0 and any white-label Android clients that bundle the same liblumidevsdk.so shared library. The flaw is reachable over the network with no authentication required, as the embedded keys can be extracted from the app binary and used to decrypt or forge network traffic. Successful exploitation gives an attacker the ability to read sensitive data and tamper with device communications. No upstream fix has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Android runtime or IoT gateway images that bundle liblumidevsdk.so. Any image whose package manifest or binary inventory references the affected library version is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.1 Critical and weighting it further against each environment's compliance policy (for example, stricter thresholds for internet-facing or IoT-adjacent workloads). Triage routing is available to direct the alert to the appropriate team inbox within each customer organization based on image ownership and policy rules.

Available
Patch

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix appears. In the meantime, compensating-control guidance (network-policy isolation, egress filtering, and feature-flag gating for affected SDK functionality) is surfaced alongside the open finding to help teams reduce exposure while waiting for an upstream patch.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the affected service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required.

  • AuthenticationNot required

    No account or credential is needed; PR:N means the attacker can exploit the hardcoded keys without authenticating to any service.

  • Victim interactionNot required

    UI:N means the attacker does not need to trick any user into taking an action; exploitation is fully passive from the victim's perspective.

  • Attack complexityDetail

    AC:L indicates the exploit is reliable and condition-free; extracting hardcoded keys from the app binary requires no race conditions or special environmental alignment.

Blast Radius

  • Reads encrypted device-to-cloud traffic by decrypting it with the extracted hardcoded keys, exposing session tokens, device state, and user account data.
  • Forges or replays signed messages to the Aqara cloud backend or to local hub devices, modifying device configuration and automation rules without authorization.
  • Affects all white-label apps embedding the same liblumidevsdk.so, meaning the same extracted keys apply across multiple brand variants of the SDK.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against every image in connected registries and CI pipelines, including custom images that bundle the affected shared library. Because no upstream fix exists at this time, HarborGuard surfaces the finding with CVSS 9.1 Critical priority and attaches compensating-control recommendations: isolating affected containers behind strict network policy to limit which services can reach the Aqara cloud endpoints, applying egress filtering to block unauthorized key-reuse attempts, and disabling or gating SDK features that depend on the vulnerable cryptographic routines until a patched version ships. HarborGuard re-evaluates the advisory on every ingest cycle; for customers with auto-remediation enabled, a patched-image rebuild and regression run will be triggered automatically and a PR opened against affected workloads as soon as an upstream fix version is published.

See how HarborGuard automates this

Fix available

0
Affected packages
  • Aqara / com.lumiunited.aqarahome
    < 0 (from 6.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References