CVE-2026-50090 - Vulnerability Details

- Aqara OAuth redirect_uri validation bypass

Description

The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical).

Published: 2026-06-12

Score: 9.3 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Aqara Cloud’s OAuth authorization endpoint allows an attacker to bypass normal redirect_uri validation by providing a crafted redirect URL that matches loosely on the domain. Because the server validates the domain equivalence improperly, the redirect can be directed to a malicious host, enabling the attacker to retrieve the OAuth authorization code or access token after the user authorizes the request. This flaw is an instance of CWE-1289: Improper Validation of Unsafe Equivalence in Input, and the CVSS vector indicates a 9.3 score with high confidentiality and integrity impact, but no availability loss.

Affected Systems

The vulnerability resides in Aqara’s Cloud OAuth Authorization Endpoint accessible at open-cn.aqara.com/oauth/authorize. Current information does not list specific patch versions, implying that all currently deployed instances of the endpoint without a vendor patch are potentially vulnerable.

Risk and Exploitability

The high CVSS score of 9.3 reflects the severity, and the EPSS score is not available, leaving the exploitation probability uncertain. The vulnerability is not listed in CISA’s KEV catalog, but the attack vector is public and requires user interaction to complete the OAuth flow. An attacker needing only to entice a user to visit a malicious link can hijack OAuth credentials, potentially granting access to the user’s Aqara account and associated IoT devices.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Aqara

Cloud OAuth Authorization Endpoint

unaffected

Version	Status	Constraints
`2026-04-20`	affected	< 0

No data.

Vendor Product Confidence Versions

Aqara

Cloud Oauth Authorization Endpoint

100%

Version	Status	Scheme	Platform
`[2026-04-20,0)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest patch from Aqara that enforces strict host whitelist validation for redirect_uri parameters.
If a patch is not yet available, immediately block all redirect_uri values that do not point to a domain that matches the official Aqara domains (e.g., open-cn.aqara.com) through server‑side filtering or reverse proxy rules.
Educate users to verify the authenticity of OAuth consent screens and consider configuring multi‑factor authentication to mitigate credential theft if an already compromised account is detected.

Generated by OpenCVE AI on June 12, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/xn0tsa/theres-no-place-like-home
https://www.runzero.com/advisories/aqara-oauth-redirect-validation-bypass-cve-2026-50090

History

Fri, 12 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aqara Aqara cloud Oauth Authorization Endpoint
Vendors & Products		Aqara Aqara cloud Oauth Authorization Endpoint

Fri, 12 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 12 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical).
Title		Aqara OAuth redirect_uri validation bypass
Weaknesses		CWE-1289
References		https://github.com/xn0tsa/theres-no-place-like-home https://www.runzero.com/advisories/aqara-oauth-redirect-validation-bypass-cve-2026-50090
Metrics		cvssV3_1 `{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Aqara Cloud Oauth Authorization Endpoint

MITRE

Status: PUBLISHED

Assigner: runZero

Published: 2026-06-12T15:02:13.840Z

Updated: 2026-06-12T15:49:43.781Z

Reserved: 2026-06-03T14:25:34.982Z

Link: CVE-2026-50090

Vulnrichment

Updated: 2026-06-12T15:49:39.953Z

NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:32.623

Modified: 2026-06-12T17:16:26.170

Link: CVE-2026-50090

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T20:19:39Z

Weaknesses

CWE-1289
Improper Validation of Unsafe Equivalence in Input

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object