PatchSiren cyber security CVE debrief
CVE-2026-50091 Aqara CVE debrief
CVE-2026-50091 is a critical vulnerability in Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 and white-label clients embedding the same liblumidevsdk.so. The vulnerability is caused by the use of hardcoded cryptographic keys, classified as CWE-321: Use of Hard-coded Cryptographic Key. The estimated CVSS score is 9.1 (Critical) with CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.
- Vendor
- Aqara
- Product
- com.lumiunited.aqarahome
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 and white-label clients embedding the same liblumidevsdk.so should be aware of this critical vulnerability.
Technical summary
The Aqara Home Android application (com.lumiunited.aqarahome) version 6.0.0 and white-label clients using the same liblumidevsdk.so library are vulnerable to CWE-321: Use of Hard-coded Cryptographic Key. This vulnerability has a CVSS score of 9.1, indicating critical severity.
Defensive priority
High
Recommended defensive actions
- Update to a version of Aqara Home Android that does not use hardcoded cryptographic keys, if available.
- Review and modify the liblumidevsdk.so library usage in white-label clients to ensure secure key management.
- Consider implementing additional security measures to mitigate potential risks associated with this vulnerability.
Evidence notes
Evidence for this CVE includes analysis from Runzero and a GitHub repository.
Official resources
-
CVE-2026-50091 CVE record
CVE.org
-
CVE-2026-50091 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
44488dab-36db-4358-99f9-bc116477f914
-
Source reference
44488dab-36db-4358-99f9-bc116477f914
CVE-2026-50091 was published on 2026-06-12T16:16:32.737Z and modified on 2026-06-12T17:16:26.283Z.