CVE-2026-50084: CWE-862: Missing Authorization in Aqara Cloud Production API
The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
AI Analysis
Technical Summary
The Aqara Cloud Production API at open-cn.aqara.com/v3.0/open/api improperly authorizes any valid developer token for access to any account, representing a CWE-862 Missing Authorization vulnerability. This allows an attacker with a valid developer token to access and potentially control other user accounts. The vulnerability is rated critical with a CVSS 3.1 score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N). When combined with related vulnerabilities CVE-2026-50082, CVE-2026-50083, and CVE-2026-50085, it may enable a fully unauthenticated remote takeover of affected devices. The affected version is specifically the 2026-04-20 release of the API. No patch or official remediation has been disclosed as of the publication date.
Potential Impact
An attacker possessing any valid developer token can bypass proper authorization controls to access any user account on the Aqara Cloud Production API. This leads to a complete compromise of confidentiality and integrity of user data and control over associated devices. The vulnerability does not impact availability. Combined with other related vulnerabilities, it may enable full remote takeover of devices.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to developer tokens and monitor for unauthorized use. Follow vendor communications closely for updates on remediation.
CVE-2026-50084: CWE-862: Missing Authorization in Aqara Cloud Production API
Description
The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
CVSS v3.1
Score 9.6critical
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Aqara Cloud Production API at open-cn.aqara.com/v3.0/open/api improperly authorizes any valid developer token for access to any account, representing a CWE-862 Missing Authorization vulnerability. This allows an attacker with a valid developer token to access and potentially control other user accounts. The vulnerability is rated critical with a CVSS 3.1 score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N). When combined with related vulnerabilities CVE-2026-50082, CVE-2026-50083, and CVE-2026-50085, it may enable a fully unauthenticated remote takeover of affected devices. The affected version is specifically the 2026-04-20 release of the API. No patch or official remediation has been disclosed as of the publication date.
Potential Impact
An attacker possessing any valid developer token can bypass proper authorization controls to access any user account on the Aqara Cloud Production API. This leads to a complete compromise of confidentiality and integrity of user data and control over associated devices. The vulnerability does not impact availability. Combined with other related vulnerabilities, it may enable full remote takeover of devices.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to developer tokens and monitor for unauthorized use. Follow vendor communications closely for updates on remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- runZero
- Date Reserved
- 2026-06-03T14:25:34.982Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2c2839e617e2d83487dab3
Added to database: 6/12/2026, 3:39:37 PM
Last enriched: 6/12/2026, 3:55:31 PM
Last updated: 6/13/2026, 4:56:49 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.