CVE Catalog

CVE-2026-50090

CriticalCVSS 9.3
Published: Updated: Translated: NVD NIST

Summary

The Aqara Cloud OAuth Authorization Endpoint is vulnerable to redirect bypass due to lax domain matching controls, which is an instance of improper validation of unsafe equivalence in input.

Risk Assessment

Exploitation of this vulnerability may lead to unauthorized access to user data, posing a serious security threat to the organization.

Recommendation

It is recommended to implement strict domain validation controls and to monitor and update systems to minimize risk.

Original NVD description (English source)

The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS