External risk intelligence

Aqara IAM/SSO Gateway Unauthenticated AES Oracle Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-50086

The Aqara IAM/SSO gateway has a vulnerability that allows unauthenticated parties to perform cryptographic operations, potentially leading to unauthorized access. This is because it exposes AES encryption/decryption functions without requiring authentication. Organizations should confirm if this gateway is relevant to

5Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-50086

The vulnerability affects an IAM/SSO gateway, which is a service designed for identity management and authentication. Such services are typically deployed as public-facing gateways or identity portals to facilitate access, making this component public-facing by design in normal operational contexts.

PCI scan relevance

PCI Relevance for CVE-2026-50086

Yes

CVE-2026-50086 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE involves missing authentication for a critical function, potentially allowing unauthorized access and impacting confidentiality and integrity, which would cause a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves the Aqara IAM/SSO gateway, which could allow unauthenticated access to sensitive cryptographic operations. While the specifics of exploitation and impact require further analysis, a compromise of an authentication gateway could have broad implications for system security. The primary concern at this stage is to determine if this technology is relevant to our environment and assess any potential exposure.

Unauthenticated crypto flaws in Aqara gateway.
Protects user access and sensitive data.
Confirm relevance and exposure to Aqara services.

Attack Path

How an attacker could exploit the issue

An attacker can reach the Aqara IAM/SSO gateway from the internet and interact with its signing key function without needing any credentials. This allows them to perform cryptographic operations that could lead to unauthorized access or other security breaches on the platform.

No authentication required for critical function.
Attacker triggers vulnerable cryptographic operations.
Allows for unauthorized access to the platform.

Live Threat

Current exploitation, exposure, and threat context

The Aqara IAM/SSO gateway could allow an unauthenticated attacker to perform AES encryption or decryption operations using the platform's signing key. This is possible because the gateway exposes bidirectional AES round-trips without requiring any authentication.

Platform signing key exposure.
Unauthenticated AES oracle access.
Potential for unauthorized access.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Identifying the correct team to address this critical vulnerability requires understanding the Aqara IAM/SSO gateway's role within your environment. Typically, platform or infrastructure teams manage core identity services, while security operations may be responsible for monitoring and initial triage. The first practical step is to determine if this gateway is deployed, accessible externally, and critical to business operations. If so, locate the accountable owner and initiate a risk-based remediation plan.

Identify platform or infrastructure owners.
Verify external accessibility and criticality.
Plan remediation based on risk.

Frequently asked questions

What is the Aqara IAM/SSO gateway?

The Aqara IAM/SSO gateway is an identity and access management component designed to centralize authentication processes. It acts as a gatekeeper for user access and protects sensitive platform data, serving as a critical infrastructure piece that governs how users sign into and interact with the broader Aqara ecosystem.

What does CVE-2026-50086 mean for security?

This vulnerability involves two main weaknesses: Missing Authentication for Critical Function (CWE-306) and the Use of a Broken or Risky Cryptographic Algorithm (CWE-327). Essentially, the gateway allows unauthorized parties to perform cryptographic operations using the system's signing key without proving their identity.

How can an attacker trigger this vulnerability?

An attacker triggers this by interacting directly with the gateway's cryptographic functions, which mistakenly allow bidirectional AES round-trips without any login requirements. Simple internal status checks or non-cryptographic traffic toward the gateway will not trigger this specific flaw; it requires deliberate, unauthenticated requests that target the signing key operations.

Is my environment at risk from this CVE?

According to Halo Surface Signal, this gateway is typically designed to be public-facing to facilitate identity management. If you operate this technology, it is highly likely to be exposed to the internet. You should care if your organization relies on this gateway for authentication, as its internet-facing nature makes it a direct target for unauthorized access attempts.

What should I do if I use this software?

Your first step is to confirm whether this specific gateway is deployed within your infrastructure. Once identified, verify if it is reachable from the internet and clarify its importance to your operations. Locate the team responsible for managing platform identity services and work with them to prioritize this risk according to your internal security policies.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.