CVE-2026-50083
CriticalCVSS 9.1Summary
The Aqara IAM/SSO Gateway uses hardcoded OAuth client credentials, which is an instance of 'CWE-798: Use of Hard-coded Credentials'. This issue has an estimated CVSS score of 9.1, indicating a critical threat.
Risk Assessment
When combined with other vulnerabilities, this can lead to a fully unauthenticated remote takeover of affected devices, posing a serious security risk to the organization.
Recommendation
It is recommended to remove hardcoded credentials and implement authentication mechanisms to secure devices against unauthorized access.
Original NVD description (English source)
The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.

