PatchSiren cyber security CVE debrief
CVE-2026-50090 Aqara CVE debrief
CVE-2026-50090 is a critical vulnerability in the Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize). The vulnerability is caused by lax controls on domain matching, which is an instance of CWE-1289: Improper Validation of Unsafe Equivalence in Input. The estimated CVSS score is 9.3 (Critical).
- Vendor
- Aqara
- Product
- Cloud OAuth Authorization Endpoint
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of the Aqara Cloud OAuth Authorization Endpoint are advised to take immediate action to mitigate this vulnerability.
Technical summary
The Aqara Cloud OAuth Authorization Endpoint is vulnerable to a redirect bypass due to lax controls on domain matching. This is an instance of CWE-1289: Improper Validation of Unsafe Equivalence in Input. The CVSS score is 9.3 (Critical) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by the vendor to fix the vulnerability.
- Implement additional security measures to detect and prevent exploitation attempts.
Evidence notes
The vulnerability was reported by Runzero and has been documented on GitHub.
Official resources
-
CVE-2026-50090 CVE record
CVE.org
-
CVE-2026-50090 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
44488dab-36db-4358-99f9-bc116477f914
-
Source reference
44488dab-36db-4358-99f9-bc116477f914
CVE-2026-50090 was published on 2026-06-12T16:16:32.623Z and modified on 2026-06-12T17:16:26.170Z.