Description
Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded Cryptographic Key" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical).
Published: 2026-06-12
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Aqara Home Android (com.lumiunited.aqarahome) version 6.0.0 and white‑label clients that embed the same liblumidevsdk.so use a hard‑coded cryptographic key. This flaw, a classic example of CWE‑321: Use of Hard‑coded Cryptographic Key, allows a malicious actor who can manipulate data on the device or spoof network traffic to decrypt or forge encrypted communications, thereby exposing or altering private data such as device identifiers, user settings, or other secrets. The vulnerability results in full confidentiality compromise and potential integrity tampering, while availability is not directly affected.

Affected Systems

The affected product is Aqara Home Android application version 6.0.0 and any white‑label client that incorporates the identical liblumidevsdk.so library. No other versions of the app are listed as impacted in the advisory.

Risk and Exploitability

The CVSS score of 9.1 classifies the issue as Critical. EPSS is not available and it is not yet in the CISA KEV catalog. The most likely attack vector is local on the device; an adversary that can modify data sent to or from the application or influence the SDK’s processing can exploit the hard‑coded key. Remote exploitation would still require some form of initial device compromise to place the attacker’s payload or manipulated traffic in the device context.

Generated by OpenCVE AI on June 12, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Aqara Home Android application to a version that removes the hard‑coded cryptographic key or to a patched liblumidevsdk.so shipped by the vendor.
  • For white‑label clients, upgrade the embedded SDK to a release that contains a proper key‑management implementation; contact the vendor for the appropriate patch or a newer version of the library.
  • If an immediate upgrade is not possible, restrict the application’s network traffic or disable features that rely on the vulnerable SDK until a patched version can be deployed.

Generated by OpenCVE AI on June 12, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Aqara
Aqara com.lumiunited.aqarahome
Vendors & Products Aqara
Aqara com.lumiunited.aqarahome

Fri, 12 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded Cryptographic Key" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical).
Title Aqara Home Android SDK hardcoded keys
Weaknesses CWE-321
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Aqara Com.lumiunited.aqarahome
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-06-12T16:22:58.685Z

Reserved: 2026-06-03T14:25:34.982Z

Link: CVE-2026-50091

cve-icon Vulnrichment

Updated: 2026-06-12T16:22:41.112Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:32.737

Modified: 2026-06-12T17:16:26.283

Link: CVE-2026-50091

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:19:38Z

Weaknesses
  • CWE-321

    Use of Hard-coded Cryptographic Key