An improper CORS configuration allows web pages from any origin to issue requests to the Aqara Developer Portal and its shared test environments. Because the portal serves sensitive data and internal APIs, an attacker can retrieve information that should be protected, potentially exposing secrets, user credentials, or internal system details. The weakness is classified as CWE‑942, a permissive cross‑domain policy with untrusted domains, leading primarily to confidentiality violations; the impact score reflects a high severity.

The affected infrastructure consists of Aqara’s public developer portal at developer.aqara.com and its test environments at developer-test.aqara.com and aiot-test.aqara.com. Both sites are operated by Aqara’s developer and testing teams. No specific version or build identifiers are disclosed in the advisory, so the vulnerability could exist in any current deployment of these portals.

The CVSS v3.1 score of 8.2 marks it as high severity, with no known exploits reported yet, and there is no EPSS data available. Because the attack vector is network reachable from the public Internet (the affected sites are publicly accessible) and the exploit requires no authentication or local privileges, the risk to exposed data is significant. The issue is not listed in CISA’s KEV catalog, but the lack of protection around these portals means a determined actor could use cross‑origin requests to exfiltrate data if other mitigations are not in place.