External risk intelligence

Aqara Cloud OAuth Redirect Validation Bypass CVE-2026-50090

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-50090

A vulnerability in Aqara Cloud's OAuth authorization endpoint allows redirect bypass due to lax domain matching, potentially enabling attackers to redirect users to malicious sites and compromise sensitive information.

5Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-50090

The vulnerability exists in an OAuth authorization endpoint hosted on a public internet domain (open-cn.aqara.com). As a core identity and authentication service component designed for web and API-based authorization flows, this interface is intended to be publicly reachable to facilitate third-party service integration.

PCI scan relevance

PCI Relevance for CVE-2026-50090

Yes

CVE-2026-50090 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Aqara Cloud OAuth allows for a redirect bypass, which could lead to unauthorized access and is relevant for PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

This CVE describes a vulnerability in Aqara's cloud authentication system, which could allow attackers to redirect users to malicious sites. The issue stems from insufficient validation of domain matching during the authorization process. This could potentially impact user trust and data security if exploited.

  • Authentication system allows redirect to fake sites.
  • Affects user trust and data security.
  • Confirm if Aqara cloud services are used.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by tricking a user into clicking a specially crafted link. This link would direct the user to the Aqara Cloud OAuth authorization endpoint, where a flaw in how the system validates redirect domains could allow the attacker to redirect the user to an attacker-controlled website. If successful, this could lead to the theft of sensitive user information or unauthorized actions on behalf of the user.

  • Requires user interaction via a link.
  • Exploits domain validation flaw.
  • Risk of credential theft and account takeover.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to redirect users to a malicious site after they initiate an OAuth authorization flow through the Aqara Cloud service. This could potentially expose sensitive information to the attacker, depending on the user's actions and the specific integration points.

  • User authentication tokens could be exposed.
  • Redirect bypass could send users to fake sites.
  • Account takeover may be possible.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The Aqara Cloud OAuth endpoint's vulnerability requires immediate attention from teams managing cloud-hosted authentication services and those responsible for integrating external services. The first practical step is to identify all instances of the Aqara Cloud OAuth endpoint within your environment, assess their reachability and business criticality, and confirm the accountable owner for remediation planning.

  • Identify and confirm the owner.
  • Verify public exposure and criticality.
  • Plan remediation based on risk.

Frequently asked questions

What is the Aqara Cloud OAuth endpoint?

The Aqara Cloud OAuth endpoint is a web-based service component used to manage authorization flows between the Aqara ecosystem and third-party applications. It acts as a gatekeeper, verifying identity so that different software services can interact with your Aqara devices securely. Because it serves as a central hub for login and permission requests, it is designed to be accessible to external web services.

What does CVE-2026-50090 mean by improper validation?

This vulnerability is classified as CWE-1289, which refers to improper validation of unsafe equivalence. In plain terms, the system fails to strictly check the destination domain when redirecting a user after a login attempt. Instead of ensuring the user is sent only to a trusted, authorized website, the system can be tricked into accepting a malicious or unauthorized URL, allowing an attacker to divert traffic to a site they control.

How does an attacker trigger this redirect bypass?

An attacker initiates the attack by tricking a user into clicking a specially crafted link that leads to the vulnerable Aqara OAuth endpoint. This action requires user interaction; simply visiting the Aqara service normally does not trigger the vulnerability. The flaw is not activated by automated system-to-system communication alone, but specifically through manipulated requests that exploit the endpoint's weak domain-matching logic.

Is my organization at risk from this CVE?

Halo Surface Signal indicates that this vulnerability is highly relevant because it exists on a public-facing internet domain (open-cn.aqara.com). Any organization or individual using integrations that rely on this specific Aqara OAuth flow for web or API-based authentication is exposed to this risk. If you use third-party services that connect to your Aqara account, you should consider the potential for malicious redirection during the authentication process.

Do I need to take action for CVE-2026-50090?

Yes. Start by identifying where your systems or applications integrate with the Aqara Cloud OAuth service. Assess the criticality of these integrations to your daily operations. Once identified, document which business units or technical teams are responsible for these connections so you can coordinate closely with them as official remediation or security guidance becomes available.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished