Description
The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).
Published: 2026-06-12
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Aqara IAM/SSO Gateway hosts a permissive Cross‑Origin Resource Sharing policy that satisfies the definition of CWE‑942. An attacker can send HTTP requests from a malicious web origin and receive the gateway’s responses, allowing the unauthorized disclosure of confidential data such as SSO tokens or configuration. The vulnerability is characterised by a CVSS v3.1 score of 8.2, signalling high confidentiality impact and low attack complexity, but it does not provide for remote code execution or privilege escalation.

Affected Systems

The affected vendor is Aqara and the product is the Aqara IAM/SSO Gateway. No version information is documented in the advisory; the issue applies to any deployment of the gateway.

Risk and Exploitability

A high CVSS score indicates significant risk; however, the EPSS score is not available and the vulnerability has not been listed in the CISA KEV catalog, suggesting no known active exploitation. The likely attack vector is a remote origin that can reach the gateway unit, typically via a web browser or automated script. If the gateway is exposed to the wider Internet or to untrusted internal networks, an attacker could orchestrate automated cross‑origin calls to harvest sensitive data.

Generated by OpenCVE AI on June 12, 2026 at 16:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy any available firmware or patch update for the Aqara IAM/SSO Gateway that addresses the permissive CORS configuration.
  • Configure the gateway’s CORS settings or deploy a reverse‑proxy in front of the gateway to accept requests only from trusted origins and reject all other domains.
  • Place the gateway behind a network segment or firewall that limits inbound access to trusted devices or internal networks.
  • Monitor gateway logs and network traffic for abnormal cross‑origin request patterns and correlate them with security alerts.
  • If a patch is not immediately available, apply a temporary network or application‑level firewall rule to block cross‑origin requests from untrusted origins.

Generated by OpenCVE AI on June 12, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Aqara
Aqara aqara Iam/sso Gateway
Vendors & Products Aqara
Aqara aqara Iam/sso Gateway

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).
Title Aqara IAM/SSO Gateway cross-origin resource sharing
Weaknesses CWE-942
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

Aqara Aqara Iam/sso Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-06-12T15:52:19.433Z

Reserved: 2026-06-03T14:25:34.982Z

Link: CVE-2026-50087

cve-icon Vulnrichment

Updated: 2026-06-12T15:52:15.741Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:32.297

Modified: 2026-06-12T17:16:25.813

Link: CVE-2026-50087

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:19:45Z

Weaknesses
  • CWE-942

    Permissive Cross-domain Security Policy with Untrusted Domains