External risk intelligence

Aqara Home Android SDK Uses Hard-Coded Cryptographic Keys

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-50091

Aqara Home Android applications and white-label clients using the same SDK contain hard-coded cryptographic keys, which could allow attackers to access or modify sensitive data. This vulnerability is critical and requires verifying if the affected technology is relevant and exposed within the environment.

1Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-50091

The vulnerability resides within an Android mobile application, which operates on a client device. Mobile applications are not internet-facing services, gateways, or servers, and this specific library usage does not imply that the application functions as a publicly reachable network endpoint or appliance.

PCI scan relevance

PCI Relevance for CVE-2026-50091

Yes

CVE-2026-50091 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability involves hard-coded cryptographic keys, which could lead to a PCI ASV scan failure due to the potential for authentication bypass or sensitive data disclosure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability found in the Aqara Home Android application. The issue involves the use of hard-coded cryptographic keys within the application's software development kit, which could potentially allow unauthorized access to sensitive information. The main concern is to confirm if this technology is relevant to our environment and if it has been exposed.

Hard-coded keys in an app pose a security risk.
Critical flaw affects sensitive data access.
Verify relevance and exposure in our systems.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by targeting the Aqara Home Android application or similar clients that embed the same SDK. Because the application uses hard-coded cryptographic keys, an attacker who can access the application's code or libraries can potentially extract these keys. This exposure allows for unauthorized access to or modification of sensitive data handled by the application.

No special access required.
Vulnerable SDK libraries.
Compromised data confidentiality and integrity.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, the hard-coded cryptographic keys within the Aqara Home Android application could allow an attacker to access or modify sensitive information. This is because the keys used for encryption are not stored securely and can be discovered by someone with the application.

Sensitive application data could be accessed.
Hard-coded keys may be discovered.
Confidentiality and integrity of data may be compromised.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts the Aqara Home Android application and any white-label clients embedding the same SDK. The first step is for application owners and security teams to identify all instances of the affected application, confirm its reachability and business criticality, and then assign ownership for remediation planning.

Identify application owners.
Verify app reachability and criticality.
Plan remediation based on risk.

Frequently asked questions

What is the Aqara Home Android application?

Aqara Home is a mobile application used for managing smart home devices. This vulnerability specifically affects version 6.0.0 and any third-party, white-label apps that incorporate its underlying software component, liblumidevsdk.so.

What does CWE-321 mean for CVE-2026-50091?

CWE-321 identifies the use of hard-coded cryptographic keys. In this CVE, it means the security keys needed to encrypt or protect data are embedded directly within the app's code rather than being generated or stored securely. This makes those keys discoverable to anyone who analyzes the application files.

How can an attacker trigger this vulnerability?

An attacker needs to gain access to the application's code or its specific libraries to extract the embedded keys. Merely using the app normally does not trigger the vulnerability; it requires a malicious actor to inspect the software itself to find the secret keys hidden within the SDK.

Do I need to worry if I use this app?

According to Halo Surface Signal, this risk is very unlikely for most infrastructure because the flaw exists in a mobile client app, not a network server or gateway. Since mobile apps are not typically exposed as internet-facing services, they do not serve as direct entry points for remote network attacks.

How should I respond if I have this app installed?

Begin by identifying all devices or systems where this specific Android application is in use. Once you have an inventory, determine who owns or manages the app within your organization and prioritize monitoring for updates from the vendor to replace the vulnerable software development kit.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.