Description
The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
Published: 2026-06-12
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Aqara’s Cloud Production API mistakenly authorizes any valid developer token to access any user account. This missing authorization flaw (CWE‑862) allows an attacker with a legitimate token to read sensitive account data and, when combined with other API weaknesses, to remotely take control of Aqara devices.

Affected Systems

The vulnerability resides in Aqara’s Cloud Production API endpoint at open-cn.aqara.com/v3.0/open/api. No specific software versions are listed; the issue applies to the current production API service.

Risk and Exploitability

The CVSS score of 9.6 marks this flaw as Critical. Although the EPSS score is not available, the lack of a KEV listing does not reduce the severity of the identified risks. The likely attack vector is an authenticated network request to the API; the attacker must possess a legitimate developer token, which could be obtained through credential compromise or token theft. If the token is in hand, the attacker can exploit the missing boundary checks to pivot into other accounts and ultimately gain unauthenticated remote control of devices.

Generated by OpenCVE AI on June 12, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Aqara support to confirm a patch or API fix has been released
  • Apply the released update as soon as it becomes available
  • Revoke all existing developer tokens
  • Issue new tokens scoped only to the intended account and rotate them regularly
  • Implement monitoring of API usage to detect cross‑account access patterns and configure alerts
  • Disable or revoke any token that is used outside its intended account boundaries

Generated by OpenCVE AI on June 12, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Aqara
Aqara cloud Production Api
Vendors & Products Aqara
Aqara cloud Production Api

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
Title Aqara API cross-account access
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Aqara Cloud Production Api
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-06-12T15:55:29.162Z

Reserved: 2026-06-03T14:25:34.982Z

Link: CVE-2026-50084

cve-icon Vulnrichment

Updated: 2026-06-12T15:55:24.977Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:31.940

Modified: 2026-06-12T17:16:25.203

Link: CVE-2026-50084

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:19:55Z

Weaknesses