CVE-2026-50088 - Vulnerability Details - OpenCVE

The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/xn0tsa/theres-no-place-like-home
https://www.runzero.com/advisories/aqara-dev-portal-cors-cve-2026-50088

History

Fri, 12 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).
Title		Aqara Developer Portal cross-origin resource sharing
Weaknesses		CWE-942
References		https://github.com/xn0tsa/theres-no-place-like-home https://www.runzero.com/advisories/aqara-dev-portal-cors-cve-2026-50088
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: runZero

Published: 2026-06-12T15:01:49.680Z

Updated: 2026-06-12T15:01:49.680Z

Reserved: 2026-06-03T14:25:34.982Z

Link: CVE-2026-50088

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:32.403

Modified: 2026-06-12T16:20:55.597

Link: CVE-2026-50088

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-50088", "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914", "state": "PUBLISHED", "assignerShortName": "runZero", "dateReserved": "2026-06-03T14:25:34.982Z", "datePublished": "2026-06-12T15:01:49.680Z", "dateUpdated": "2026-06-12T15:01:49.680Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "44488dab-36db-4358-99f9-bc116477f914", "shortName": "runZero", "dateUpdated": "2026-06-12T15:01:49.680Z"}, "title": "Aqara Developer Portal cross-origin resource sharing", "datePublic": "2026-06-12T15:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-942", "description": "CWE-942 Permissive cross-domain security policy with untrusted domains", "type": "CWE"}]}], "affected": [{"vendor": "Aqara", "product": "Aqara Developer Portal", "versions": [{"status": "affected", "version": "2026-04-20", "lessThan": "0", "versionType": "date"}], "defaultStatus": "unaffected"}, {"vendor": "Aqara", "product": "Aqara Developer Test Portal", "versions": [{"status": "affected", "version": "2026-04-20", "lessThan": "0", "versionType": "date"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of \"CWE-942: Permissive Cross-domain Policy with Untrusted Domains,\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of \"CWE-942: Permissive Cross-domain Policy with Untrusted Domains,\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High)."}]}], "references": [{"url": "https://github.com/xn0tsa/theres-no-place-like-home", "tags": ["technical-description"]}, {"url": "https://www.runzero.com/advisories/aqara-dev-portal-cors-cve-2026-50088", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"}}], "credits": [{"lang": "en", "value": "Sammy Azdoufal", "type": "finder"}, {"lang": "en", "value": "Tod Beardsley of runZero, Inc.", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}}}