CVE Catalog

CVE-2026-50086

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Summary

The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES operations on the platform's signing key without authentication. This is an instance of missing authentication for critical functions and the use of a risky cryptographic algorithm.

Risk Assessment

The lack of authentication may lead to unauthorized access to the signing key, posing a serious threat to data integrity and system security.

Recommendation

It is recommended to implement authentication mechanisms for critical functions and to replace the used AES algorithm with a more secure solution.

Original NVD description (English source)

The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and "CWE-327: Use of a Broken or Risky Cryptographic Algorithm," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS