🗓️ Live on June 17: The New Rules of Risk: EPSS v5 & Agentic Adversaries Register
runZero CAASM

On This Page:

  1. Executive summary
  2. Technical details
  3. Attacker value
  4. Credit
  5. Timeline

Aqara Developer Portal insecure authentication token

Vendors Aqara
Products
Aqara Cloud Developer Portal
  • Aqara Cloud Developer Portal
Related

Executive summary #

The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5 Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, any otherwise-unauthenticated attacker could execute a full takeover of affected devices.

Technical details #


POST /open-server/authcode/get accepts any email address, sends a verification code to that address, and lets the requester complete a developer-account signup with no approval workflow. The resulting account holds a valid Appid and Keyid that the production API at open-cn.aqara.com accepts as authorization to call user-scope endpoints (see CVE-2026-50084).

Repro:

POST /open-server/authcode/get HTTP/1.1
Host: developer.aqara.com
Content-Type: application/json

{"email":"attacker@example.com","type":1}

→ HTTP 200, {"code":0,"message":"Success"}

Attacker value: Entry point of the four-step chain. Without it, the rest doesn't reach unauthenticated attackers.

Vendor status: Marked Fixed in Aqara's April 20 acknowledgment table. Independent re-test pending.



Further technical details for this issue can be found at https://github.com/xn0tsa/theres-no-place-like-home

Attacker value #

This issue's main attacker value is as the entry point to a fully-chined remote code execution exploit, culminating in the issue identified in CVE-2026-50085.

Credit #

These issues were discovered, documented, and disclosed by Sammy Azdoufal. CVE coordination was performed by Tod Beardsley of runZero, Inc.

Timeline #

2026-03-13: Set of issues discovered by the researcher and outreach to the vendor initiated

2026-03-30: Second outreach by the researcher

2026-04-08: Various findings and vulnerabilities remediated by the vendor

2026-04-20: Acknowledged the researcher's reporting

2026-04-20: The vendor stated this issue has been fixed

2026-06-12: This public disclosure (90 days from first contact) 

For more details on specific findings and fixes, please see the researcher's website at https://github.com/xn0tsa/theres-no-place-like-home.

Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

runZero CAASM
© Copyright 2026 runZero, Inc. All Rights Reserved