CVE 8.6 HIGH

Aqara Board IoT insecure debug API_CVE-2026-50085

June 12, 2026 invoker category_cve

8.6 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Description

The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.

AI Analysis

Aqara Board service vulnerable to missing authentication for critical function, allowing remote takeover when combined with other CVEs

Basic Information

ID CVE-2026-50085

Source runZero

Published Jun 12, 2026 at 15:01

Affected Product

Vendor Aqara

Product Board service

Version 2026-04-20

Affected Versions Aqara Board service 2026-04-20

CWE Classification

CWE-306

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor Aqara

Product Aqara Board service

Version 2026-04-20

References

{
    "lastseen": "",
    "description": "The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of \"CWE-306: Missing Authentication for Critical Function\" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.",
    "published": "2026-06-12T15:01:13.523Z",
    "modified": "2026-06-12T15:01:13.523Z",
    "type": "cve",
    "title": "Aqara Board IoT insecure debug API",
    "source": "runZero",
    "references": "https://github.com/xn0tsa/theres-no-place-like-home\nhttps://www.runzero.com/advisories/aqara-board-iot-insecure-debug-api-cve-2026-50085",
    "id": "CVE-2026-50085",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "Aqara Board service 2026-04-20",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Board service",
    "version": "2026-04-20",
    "vendor": "Aqara",
    "ai_description": "Aqara Board service vulnerable to missing authentication for critical function, allowing remote takeover when combined with other CVEs",
    "ai_severity": "High",
    "ai_vendor": "Aqara",
    "ai_product": "Aqara Board service",
    "ai_version": "2026-04-20",
    "ai_score": 8.6
}

💭 Join the Security Discussion ❌ Cancel Reply