External risk intelligence

Aqara Cloud API Missing Authorization Allows Account Takeover.

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-50084

A critical authorization vulnerability exists in the Aqara Cloud Production API, where a valid developer token can grant access to any account. This "missing authorization" flaw (CWE-862) could allow unauthorized account access and, when combined with other vulnerabilities, potentially lead to a complete remote takeove

5Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-50084

The vulnerability exists in a public cloud-based API endpoint (open-cn.aqara.com) designed to facilitate remote communication and integration for connected devices. As a cloud service endpoint accessible over the internet for API interactions, it is public-facing by design.

PCI scan relevance

PCI Relevance for CVE-2026-50084

Yes

CVE-2026-50084 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability involves missing authorization in the Aqara Cloud Production API, potentially allowing unauthorized access to accounts and full device takeover, which would likely cause a PCI scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects an Aqara cloud API, allowing unauthorized access to user accounts. When combined with other related issues, it could enable unauthenticated remote takeover of connected devices. The main concern is confirming relevance and exposure.

API allows unauthorized account access.
Critical flaw could allow device takeover.
Confirm if Aqara devices are in use.

Attack Path

How an attacker could exploit the issue

An attacker could begin by obtaining a valid developer token, which is a relatively low bar for access. With this token, they could then interact with the Aqara Cloud Production API. The API, lacking proper authorization checks, would permit the attacker to access any account, not just their own, potentially leading to a full device takeover when combined with other vulnerabilities.

Requires a valid developer token.
Accesses any account via the cloud API.
Leads to remote device takeover.

Live Threat

Current exploitation, exposure, and threat context

A valid developer token, when used with the Aqara Cloud Production API, could allow access to any account, potentially exposing user data and device configurations. This authorization flaw, when combined with other vulnerabilities, may lead to a complete remote takeover of affected devices.

User accounts and device data at risk.
Unauthorized access via API and valid tokens.
Complete remote takeover of devices possible.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The Aqara Cloud Production API's authorization vulnerability requires immediate attention from platform and security teams. The first step is to identify all instances of this API within your environment, confirm its exposure and criticality, and then locate the accountable owner for remediation planning.

Platform and security teams own the issue.
Verify API exposure and account criticality.
Plan remediation with the accountable owner.

Frequently asked questions

What is the Aqara Cloud Production API?

The Aqara Cloud Production API is a web-based service endpoint that enables remote communication and management for Aqara smart home devices. It acts as the bridge between developer-built integrations and the cloud infrastructure, allowing connected hardware to receive commands and sync data across the platform.

What does CWE-862 mean for CVE-2026-50084?

CWE-862 refers to a Missing Authorization weakness. In the context of this CVE, it means the API fails to verify whether a user has permission to access specific account data. Because this check is absent, the system grants any request made with a valid token full access to any user account, regardless of who the token actually belongs to.

How does an attacker trigger this vulnerability?

An attacker triggers this flaw by presenting a valid developer token to the affected API endpoint. Crucially, the vulnerability does not require the attacker to own or have prior permission to the target account; the API simply fails to perform the necessary authorization validation step required to isolate user data.

Is my environment at risk from this vulnerability?

Halo Surface Signal indicates that because this is a public cloud-based API endpoint, it is accessible over the internet by design. If you use services that integrate with the Aqara Cloud Production API, your cloud-managed device configurations and user data are potentially accessible to anyone possessing a valid developer token.

What are the first steps to address this issue?

Your priority is to inventory where this API is utilized within your technical environment. Once you have identified the systems communicating with the affected cloud endpoint, determine who manages those integrations and initiate a review to assess the potential impact on your connected devices and account security.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.