CVE Catalog

CVE-2026-50083

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Summary

The Aqara IAM/SSO Gateway uses hardcoded OAuth client credentials, which is an instance of 'CWE-798: Use of Hard-coded Credentials'. This issue has an estimated CVSS score of 9.1, indicating a critical threat.

Risk Assessment

When combined with other vulnerabilities, this can lead to a fully unauthenticated remote takeover of affected devices, posing a serious security risk to the organization.

Recommendation

It is recommended to remove hardcoded credentials and implement authentication mechanisms to secure devices against unauthorized access.

Original NVD description (English source)

The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS