PatchSiren cyber security CVE debrief
CVE-2026-50085 Aqara CVE debrief
The Aqara Board service (op-test.aqara.com) is vulnerable to unauthenticated MQTT command injection, classified as CWE-306: Missing Authentication for Critical Function. The CVSS score for this vulnerability is 8.6, indicating high severity. When combined with CVE-2026-50082, CVE-2026-50083, and CVE-2026-50084, this vulnerability can lead to a fully unauthenticated, remote takeover of affected devices.
- Vendor
- Aqara
- Product
- Board service
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users and administrators of the Aqara Board service, as well as IoT device users and administrators who may be affected by this vulnerability.
Technical summary
The Aqara Board service accepts arbitrary MQTT command payloads and forwards them to the platform's HiveMQ broker without authentication. This allows attackers to inject commands without authentication, potentially leading to remote takeover of affected devices.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by the vendor to fix the vulnerability.
- Implement authentication and authorization for MQTT command payloads.
- Monitor and restrict access to the Aqara Board service.
Evidence notes
Evidence for this CVE includes references to the NVD and CVE.org records, as well as source references from GitHub and RunZero.
Official resources
-
CVE-2026-50085 CVE record
CVE.org
-
CVE-2026-50085 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
44488dab-36db-4358-99f9-bc116477f914
-
Source reference
44488dab-36db-4358-99f9-bc116477f914
CVE-2026-50085 was published on 2026-06-12T16:16:32.060Z and modified on 2026-06-12T17:16:25.317Z.