CriticalPublic exploit

OAuth Redirect Suffix Match in Aqara Cloud Authorization Endpoint

IdentifiersCVE-2026-50090CWE-1289· Improper Validation of Unsafe…

CVE-2026-50090 affects the Aqara Cloud OAuth authorization endpoint at open-cn.aqara.com/oauth/authorize. The endpoint validates the OAuth redirect_uri parameter using a suffix-based domain match rather than exact matching against an authorized redirect URI. As described in the provided content, a value such as redirect_uri=https://aqara.com.evil.example.com can pass validation because it ends with an allowed domain string. This is a redirect bypass / open redirect condition in the OAuth authorization flow and is classified as CWE-1289 (Improper Validation of Unsafe Equivalence in Input). Successful exploitation can cause the authorization server to send OAuth authorization codes to an attacker-controlled lookalike domain instead of a legitimate client redirect endpoint.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

The primary impact is compromise of the OAuth authorization flow. If a victim is induced to complete authorization through a crafted request, the authorization code can be delivered to an attacker-controlled domain. Because the CVSS vector indicates Scope: Changed and high confidentiality and integrity impact, successful exploitation may enable unauthorized access to protected user data and actions available through the associated OAuth client context. Availability impact is not indicated in the provided material.

Mitigation

If you can’t patch tonight, do this now.

Until a server-side fix is fully deployed, restrict OAuth clients to the minimum necessary redirect URIs and disable any unnecessary or untrusted client registrations. Monitor authorization requests for suspicious redirect_uri values, especially domains that merely contain or suffix-match trusted names. Add detection for authorization flows involving unexpected hosts and review logs for anomalous code issuance. Where feasible, temporarily suspend affected OAuth flows or high-risk clients until exact-match validation is enforced. The provided content does not specify additional vendor-recommended mitigations.

Remediation

Patch, then assume compromise.

Change redirect_uri validation at open-cn.aqara.com/oauth/authorize from suffix-based or partial domain comparison to strict exact matching against a pre-registered allowlist of full redirect URIs for each OAuth client. Normalize and compare scheme, host, port, and path consistently before validation, and reject lookalike domains, superdomains, subdomain tricks, and other equivalence-bypass cases. Review all OAuth clients registered in the platform to ensure only intended redirect URIs are permitted, and invalidate or rotate tokens or authorization artifacts if there is evidence of abuse. The provided content does not include a vendor-issued patch version or fix date specific to this CVE.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AqaraCloudapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cvefeed high severityNews

Jun 12, 2026

CVE-2026-50090 - Aqara OAuth redirect_uri validation bypass

A critical redirect bypass vulnerability in the Aqara Cloud OAuth Authorization Endpoint caused by lax domain-matching validation.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-50090

NVD

nvd.nist.gov/vuln/detail/CVE-2026-50090

MITRE CWE · CWE-1289

Improper Validation of Unsafe Equivalence in…

github.com

github.com/xn0tsa/theres-no-place-like-home

runzero.com

runzero.com/advisories/aqara-oauth-redirect-validation-bypass-cve-2026-50090