These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-50091 is a critical vulnerability in Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 and white-label clients embedding the same liblumidevsdk.so. The vulnerability is caused by the use of hardcoded cryptographic keys, classified as CWE-321: Use of Hard-coded Cryptographic Key. The estimated CVSS score is 9.1 (Critical) with CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.
CVE-2026-50090 is a critical vulnerability in the Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize). The vulnerability is caused by lax controls on domain matching, which is an instance of CWE-1289: Improper Validation of Unsafe Equivalence in Input. The estimated CVSS score is 9.3 (Critical).
CVE-2026-50089 is a Medium severity vulnerability in the Aqara IAM/SSO Gateway (gw-builder.aqara.com). The vulnerability is an instance of CWE-601: URL Redirection to Untrusted Site, which can be exploited to set up a phishing attack. The CVSS score for this vulnerability is 6.1, with an Attack Vector (AV) of Network (N), Attack Complexity (AC) of Low (L), Privileges Required (PR) of None (N), User Intera [truncated]
CVE-2026-50088 is a high-severity vulnerability (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, 8.2 High) affecting the Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com). The vulnerability is an instance of CWE-942: Permissive Cross-domain Policy with Untrusted Domains, allowing cross-origin request sharing.
CVE-2026-50087 is a cross-origin request sharing vulnerability, classified as CWE-942: Permissive Cross-domain Policy with Untrusted Domains. The vulnerability affects the Aqara IAM/SSO gateway (gw-builder.aqara.com) and has a CVSS score of 8.2 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N.
The Aqara Board service (op-test.aqara.com) is vulnerable to unauthenticated MQTT command injection, classified as CWE-306: Missing Authentication for Critical Function. The CVSS score for this vulnerability is 8.6, indicating high severity. When combined with CVE-2026-50082, CVE-2026-50083, and CVE-2026-50084, this vulnerability can lead to a fully unauthenticated, remote takeover of affected devices.
The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) is vulnerable to CWE-862: Missing Authorization. This critical vulnerability, with a CVSS score of 9.6, allows any valid developer token to access any account. When combined with CVE-2026-50082, CVE-2026-50083, and CVE-2026-50085, it can lead to a fully unauthenticated, remote takeover of affected devices.
CVE-2026-50083 is a critical vulnerability in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) caused by a hardcoded OAuth client credential. This is an instance of CWE-798: Use of Hard-coded Credentials. The vulnerability has a CVSS score of 9.1 and is classified as Critical. When combined with CVE-2026-50082, CVE-2026-50084, and CVE-2026-50085, it can lead to a fully unauthenticated, remote takeover of [truncated]
CVE-2026-50082 is an instance of CWE-306: Missing Authentication for Critical Function. The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker, with an estimated CVSS score of 6.5 (Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, an unauthenticated attacker could execute a full takeover of affected devices.