Description
The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and "CWE-327: Use of a Broken or Risky Cryptographic Algorithm," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High).
Published: 2026-06-12
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Aqara IAM/SSO gateway (gw-builder.aqara.com) allows an attacker to perform bidirectional AES round‑trup operations against the platform’s signing key without any authentication. This turns the service into a cryptographic oracle, enabling attackers to recover the signing key and thereby decrypt secured traffic and impersonate the gateway as an authenticated system.

Affected Systems

The vulnerability affects Aqara’s IAM/SSO Gateway (gw-builder.aqara.com). No specific version or build information is provided; all current deployments are potentially impacted.

Risk and Exploitability

The CVSS score of 10.0 indicates a critical flaw. While an EPSS score is not available, the absence of authentication means an attacker can trigger the oracle from any network location. The vulnerability is not listed in CISA’s KEV catalog, yet the ease of extracting the signing key makes exploitation highly attractive and likely to occur in the wild.

Generated by OpenCVE AI on June 12, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s security patch that updates the AES implementation and enforces authentication for round‑trup operations.
  • Restrict inbound access to the gateway using firewall rules or network segmentation, allowing only trusted management hosts.
  • Monitor gateway logs and network traffic for repeated unauthenticated decryption attempts, and block offending IP addresses.
  • Rotate or revoke the signing key regularly and enforce a short key lifetime to limit the window of exploitation if a key is compromised.

Generated by OpenCVE AI on June 12, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Aqara
Aqara aqara Iam/sso Gateway
Vendors & Products Aqara
Aqara aqara Iam/sso Gateway

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and "CWE-327: Use of a Broken or Risky Cryptographic Algorithm," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High).
Title Aqara unauthenticated AES oracle
Weaknesses CWE-327
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Aqara Aqara Iam/sso Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-06-12T15:48:59.149Z

Reserved: 2026-06-03T14:25:34.982Z

Link: CVE-2026-50086

cve-icon Vulnrichment

Updated: 2026-06-12T15:48:53.898Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:32.187

Modified: 2026-06-12T17:16:25.547

Link: CVE-2026-50086

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:19:48Z

Weaknesses
  • CWE-327

    Use of a Broken or Risky Cryptographic Algorithm