Description
The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5 Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, any otherwise-unauthenticated attacker could execute a full takeover of affected devices.
Published: 2026-06-12
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Aqara Cloud Developer Portal generates a developer token for any email address supplied by an attacker, demonstrating a missing authentication check for a critical function. This flaw can allow an unauthenticated user to obtain a token that may grant access to other functions or devices, and when combined with adjacent vulnerabilities (CVE‑2026‑50083‑85) it could lead to a full takeover of affected devices.

Affected Systems

Aqara Cloud Developer Portal. No specific product version information is provided in the advisory.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity issue. EPSS is not available and the vulnerability is not listed in the KEV catalog. The likely attack vector is remote over the Internet via the portal's token request endpoint; an attacker only needs to submit an arbitrary email address to obtain a token. The ease of exploitation and the potential to combine with other CVEs make this a realistic threat for entities that rely on the portal for device management.

Generated by OpenCVE AI on June 12, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑proposed patch that limits token issuance to pre‑registered or verified email addresses.
  • Implement server‑side validation to reject arbitrary email addresses when generating tokens.
  • Enable multi‑factor authentication for the developer portal and for token issuance actions.
  • Monitor token usage logs for anomalous patterns and alert on suspicious activity.

Generated by OpenCVE AI on June 12, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Aqara
Aqara cloud Developer Portal
Vendors & Products Aqara
Aqara cloud Developer Portal

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5 Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, any otherwise-unauthenticated attacker could execute a full takeover of affected devices.
Title Aqara Developer Portal insecure authentication token
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Aqara Cloud Developer Portal
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-06-12T15:53:41.579Z

Reserved: 2026-06-03T14:25:34.981Z

Link: CVE-2026-50082

cve-icon Vulnrichment

Updated: 2026-06-12T15:53:37.552Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:31.707

Modified: 2026-06-12T17:16:25.007

Link: CVE-2026-50082

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:19:59Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function