PatchSiren cyber security CVE debrief

CVE-2026-50087 Aqara CVE debrief

CVE-2026-50087 is a cross-origin request sharing vulnerability, classified as CWE-942: Permissive Cross-domain Policy with Untrusted Domains. The vulnerability affects the Aqara IAM/SSO gateway (gw-builder.aqara.com) and has a CVSS score of 8.2 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N.

Vendor: Aqara
Product: Aqara IAM/SSO Gateway
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-12
Original CVE updated: 2026-06-12
Advisory published: 2026-06-12
Advisory updated: 2026-06-12

Who should care

Security teams and administrators responsible for the Aqara IAM/SSO gateway should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The Aqara IAM/SSO gateway exhibits a cross-origin request sharing vulnerability, which allows an attacker to make unauthorized requests on behalf of the user. This vulnerability requires user interaction (UI:R) and can result in high confidentiality impact (C:H), low integrity impact (I:L), and no availability impact (A:N).

Defensive priority

High

Recommended defensive actions

Review and update the Aqara IAM/SSO gateway configuration to restrict cross-origin requests.
Implement proper cross-origin resource sharing (CORS) policies.
Monitor the gateway for suspicious activity.

Evidence notes

The CVE record and NVD detail pages provide additional information about the vulnerability.

Official resources

CVE-2026-50087 CVE record
CVE.org
CVE-2026-50087 NVD detail
NVD
Source item URL
nvd_modified
Source reference
44488dab-36db-4358-99f9-bc116477f914
Source reference
44488dab-36db-4358-99f9-bc116477f914

CVE-2026-50087 was published on 2026-06-12T16:16:32.297Z and modified on 2026-06-12T17:16:25.813Z.