CVE-2026-50090
9.3 CRITICALThe Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls o...
Published: 2026-06-12 · Last updated: 2026-06-12
Severity and scoring
- CVSS
- 9.3 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
- CWE
- CWE-1289
Description
The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical).
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-42462 — Fedify is a TypeScript library for building federated server apps powered by ActivityPub (7.0 HIGH)
- CVE-2026-49942 — Net::CIDR::Set versions through 0.20 for Perl did not validate network masks (7.3 HIGH)
- CVE-2026-49940 — Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks (6.5 MEDIUM)
- CVE-2026-47674 — Hono is a Web application framework that provides support for any JavaScript runtime (5.3 MEDIUM)
- CVE-2026-48710 — Starlette is a lightweight ASGI framework/toolkit (6.5 MEDIUM)