PatchSiren cyber security CVE debrief
CVE-2026-50084 Aqara CVE debrief
The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) is vulnerable to CWE-862: Missing Authorization. This critical vulnerability, with a CVSS score of 9.6, allows any valid developer token to access any account. When combined with CVE-2026-50082, CVE-2026-50083, and CVE-2026-50085, it can lead to a fully unauthenticated, remote takeover of affected devices.
- Vendor
- Aqara
- Product
- Cloud Production API
- CVSS
- CRITICAL 9.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Aqara devices and administrators of Aqara Cloud Production API should be aware of this vulnerability and take immediate action to mitigate the risk.
Technical summary
The Aqara Cloud Production API does not properly authorize requests, allowing an attacker with a valid developer token to access any account. This is an instance of CWE-862: Missing Authorization.
Defensive priority
High
Recommended defensive actions
- Update to the latest version of the Aqara Cloud Production API
- Restrict access to the API to only trusted developers and accounts
- Monitor API logs for suspicious activity
Evidence notes
Evidence of this vulnerability was provided by Runzero and xn0tsa.
Official resources
-
CVE-2026-50084 CVE record
CVE.org
-
CVE-2026-50084 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
44488dab-36db-4358-99f9-bc116477f914
-
Source reference
44488dab-36db-4358-99f9-bc116477f914
CVE-2026-50084 was published on 2026-06-12T16:16:31.940Z and modified on 2026-06-12T17:16:25.203Z.