CVE-2026-50090

Aqara OAuth redirect_uri validation bypass

CVSS 9.3 CRITICALEPSS 0.3%CWE-1289

In short

Aqara's login system allows attackers to redirect users to fake websites by bypassing domain validation checks. This lets attackers steal login credentials or session tokens from unsuspecting users.

Technical detail

The OAuth Authorization Endpoint at open-cn.aqara.com/oauth/authorize fails to properly validate redirect_uri parameters, allowing attackers to bypass domain matching controls (CWE-1289). An unauthenticated attacker can craft a malicious authorization request that redirects authenticated users to attacker-controlled domains, enabling credential harvesting and session hijacking with only user interaction required.

Summary generated and translated by AI from the official description.

The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical).

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Affected products

Aqara · Cloud OAuth Authorization Endpoint

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/xn0tsa/theres-no-place-like-home https://www.runzero.com/advisories/aqara-oauth-redirect-validation-bypass-cve-2026-50090