CVE-2026-50088 PUBLISHED

Aqara Developer Portal cross-origin resource sharing

Assigner: runZero
Reserved: 03.06.2026 Published: 12.06.2026 Updated: 12.06.2026

The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
CVSS Score: 8.2

Product Status

Vendor Aqara
Product Aqara Developer Portal
Versions Default: unaffected
  • affected from 2026-04-20 to 0 (excl.)
Vendor Aqara
Product Aqara Developer Test Portal
Versions Default: unaffected
  • affected from 2026-04-20 to 0 (excl.)

Credits

  • Sammy Azdoufal finder
  • Tod Beardsley of runZero, Inc. coordinator

References

Problem Types

  • CWE-942 Permissive cross-domain security policy with untrusted domains CWE