Critical Vulnerability in Aqara IAM/SSO Gateway Exposes Signing Key

The Aqara IAM/SSO gateway (gw-builder.aqara.com) has a critical vulnerability (CVE-2026-50086) that allows unauthorized access to cryptographic operations involving the platform's signing key. This flaw enables attackers to forge authentication tokens without authentication, potentially granting them unauthorized access to the platform. The vulnerability is classified as a 'Missing Authentication for Critical Function' and 'Use of a Broken or Risky Cryptographic Algorithm.' The CVSS score is estimated at 7.5, indicating a high severity. There is currently no evidence of active exploitation or a public proof-of-concept. Security patches have been released, and organizations are advised to implement authentication controls and review access logs. The vulnerability was first published on June 12, 2026.

Key Points: • CVE-2026-50086 allows unauthorized cryptographic operations on Aqara IAM/SSO gateway. • Attackers can forge authentication tokens without authentication, posing a significant risk. • Immediate patching and implementation of authentication controls are recommended.