High

Permissive CORS in Aqara IAM/SSO Gateway

IdentifiersCVE-2026-50087CWE-942· Permissive Cross-domain Security…

CVE-2026-50087 affects the Aqara IAM/SSO gateway at gw-builder.aqara.com. According to the provided content, endpoints under gw-builder.aqara.com/iam/* reflect the request Origin header into the Access-Control-Allow-Origin response header and also set Access-Control-Allow-Credentials: true, with no allowlist enforcement. This creates a permissive cross-origin resource sharing condition classified as CWE-942. In practice, a malicious website can cause a victim’s browser to issue authenticated cross-origin requests to the Aqara IAM/SSO gateway and read the responses when the victim has an active authenticated session, exposing sensitive SSO/IAM data across origins.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can enable unauthorized cross-origin reading of authenticated responses from the Aqara IAM/SSO gateway in a victim’s browser context. Based on the supplied CVSS vector and description, the primary impact is high confidentiality loss, with limited integrity impact and no stated availability impact. Depending on the reachable IAM/SSO endpoints and returned data, an attacker may be able to access sensitive account or session-related information and potentially invoke low-impact authenticated actions via the victim’s session.

Mitigation

If you can’t patch tonight, do this now.

Until a full fix is deployed, restrict browser-based access to the affected IAM/SSO endpoints from untrusted origins, reduce or eliminate credentialed CORS on sensitive endpoints, and require reauthentication or anti-CSRF-style protections for sensitive operations where feasible. Monitoring for unusual cross-origin access patterns to gw-builder.aqara.com/iam/* may help detect exploitation attempts. User-side mitigation is limited because exploitation occurs through the victim browser while authenticated.

Remediation

Patch, then assume compromise.

Implement a strict CORS policy on gw-builder.aqara.com/iam/* that does not reflect arbitrary Origin values. Only explicitly trusted origins should be returned in Access-Control-Allow-Origin, and credentialed cross-origin access should be disabled unless strictly required. If credentials are required, enforce a server-side allowlist of exact trusted origins and ensure responses vary correctly on Origin. Review all IAM/SSO endpoints for unnecessary cross-origin exposure and remove Access-Control-Allow-Credentials where not needed.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AqaraIam Sso Gatewayapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cvefeed high severityNews

Jun 12, 2026

CVE-2026-50087 - Aqara IAM/SSO Gateway cross-origin resource sharing

A cross-origin resource sharing misconfiguration vulnerability in the Aqara IAM/SSO gateway (gw-builder.aqara.com), classified as CWE-942 Permissive Cross-domain Policy with Untrusted Domains.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-50087

NVD

nvd.nist.gov/vuln/detail/CVE-2026-50087

MITRE CWE · CWE-942

Permissive Cross-domain Security Policy with…

github.com

github.com/xn0tsa/theres-no-place-like-home

runzero.com

runzero.com/advisories/aqara-iam-sso-cors-cve-2026-50087