Description
The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
Published: 2026-06-12
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Aqara IAM/SSO Gateway contains a hard‑coded OAuth client credential, an instance of CWE‑798. Because the credential is embedded directly in the gateway’s code, an attacker who discovers or predicts the credential can bypass authentication entirely. This allows an unauthenticated user to control the gateway, potentially executing arbitrary commands on the underlying device or network, and can lead to a full remote takeover when combined with related CVEs 2026‑50082, 2026‑50084, and 2026‑50085.

Affected Systems

Aqara’s IAM/SSO Gateway, distributed under the domain gw-builder.aqara.com, is the sole affected component. No specific version range is listed; therefore, any release that includes the hard‑coded credential is vulnerable. The product is sold and supported by Aqara.

Risk and Exploitability

The CVSS base score of 9.1 categorizes this flaw as Critical. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote and unauthenticated via the OAuth flow; no local privileges or special user interaction are required, which makes exploitation straightforward for any network‑exposed instance.

Generated by OpenCVE AI on June 12, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor‑supplied patch that removes the hard‑coded OAuth client credential
  • Re‑configure the Gateway to use secure, dynamically generated OAuth client credentials or remove the hard‑coded credential altogether
  • Restrict network exposure of the Gateway by placing it behind a firewall or VPN and limiting access to trusted IP ranges

Generated by OpenCVE AI on June 12, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Aqara
Aqara aquara Iam/sso Gateway
Vendors & Products Aqara
Aqara aquara Iam/sso Gateway

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
Title Aqara hardcoded OAuth client credentials
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Aqara Aquara Iam/sso Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-06-12T15:56:21.727Z

Reserved: 2026-06-03T14:25:34.982Z

Link: CVE-2026-50083

cve-icon Vulnrichment

Updated: 2026-06-12T15:56:17.923Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:31.827

Modified: 2026-06-12T17:16:25.107

Link: CVE-2026-50083

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:19:57Z

Weaknesses
  • CWE-798

    Use of Hard-coded Credentials