PatchSiren cyber security CVE debrief
CVE-2026-50083 Aqara CVE debrief
CVE-2026-50083 is a critical vulnerability in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) caused by a hardcoded OAuth client credential. This is an instance of CWE-798: Use of Hard-coded Credentials. The vulnerability has a CVSS score of 9.1 and is classified as Critical. When combined with CVE-2026-50082, CVE-2026-50084, and CVE-2026-50085, it can lead to a fully unauthenticated, remote takeover of affected devices.
- Vendor
- Aqara
- Product
- Aquara IAM/SSO Gateway
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Security teams and administrators responsible for Aqara IAM/SSO Gateway should be aware of this vulnerability and take immediate action to mitigate the risk.
Technical summary
The Aqara IAM/SSO Gateway used a hardcoded OAuth client credential, which is a security best practice violation. This vulnerability allows attackers to exploit the credential and potentially gain unauthorized access to affected devices.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by the vendor to fix the hardcoded OAuth client credential vulnerability.
- Review and update configurations to ensure that no other hardcoded credentials are present.
- Implement additional security measures, such as multi-factor authentication and monitoring, to detect and prevent potential attacks.
Evidence notes
The CVE record and NVD detail provide evidence of the vulnerability and its severity.
Official resources
-
CVE-2026-50083 CVE record
CVE.org
-
CVE-2026-50083 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
44488dab-36db-4358-99f9-bc116477f914
-
Source reference
44488dab-36db-4358-99f9-bc116477f914
CVE-2026-50083 was published on 2026-06-12T16:16:31.827Z and modified on 2026-06-12T17:16:25.107Z.