Skip to main content
Mallory
Back to vulnerabilities
HighPublic exploit

Unauthenticated MQTT Command Forwarding in Aqara Board Service

IdentifiersCVE-2026-50085CWE-306· Missing Authentication for…

CVE-2026-50085 is a missing-authentication flaw in the Aqara Board service exposed at op-test.aqara.com, also described in the source material as a Board IoT debug API. The vulnerable service accepts arbitrary MQTT command payloads from a remote requester and forwards those payloads to the platform's HiveMQ broker without requiring authentication. In effect, a debug or board-management API exposes a critical messaging function to unauthenticated network clients, allowing attacker-supplied MQTT commands to be injected into the backend message flow used for device operations. The issue is classified as CWE-306 (Missing Authentication for Critical Function). The provided material further states that this weakness can be chained with CVE-2026-50082, CVE-2026-50083, and CVE-2026-50084 to achieve fully unauthenticated remote takeover of affected Aqara cloud-managed devices.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A remote unauthenticated attacker can submit arbitrary MQTT command payloads into Aqara's backend messaging path via the Board service. Based on the provided CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L), the primary impact is high integrity compromise, with low confidentiality and availability impact. Practically, this can enable unauthorized device command execution or manipulation of device behavior through the platform's broker infrastructure. The supplied content also states that, when combined with CVE-2026-50082, CVE-2026-50083, and CVE-2026-50084, the flaw can be used as part of a fully unauthenticated remote takeover chain affecting devices managed through the Aqara cloud platform.

Mitigation

If you can’t patch tonight, do this now.

Until a verified fix is deployed, restrict or block external access to the Board service endpoints, especially op-test.aqara.com and any equivalent debug API exposure. Remove internet exposure for test or debug services, place them behind VPN or administrative network controls, and apply IP allowlisting where possible. Monitor for unexpected or unauthorized MQTT command submissions through the Board service and review broker-side logs for anomalous command patterns. If feasible, disable the affected debug command-forwarding functionality entirely in production-adjacent environments. Because the source material indicates this issue is especially dangerous when chained with other Aqara cloud vulnerabilities, mitigation should also include addressing related weaknesses that enable token issuance, cross-account API access, or other unauthorized control paths.

Remediation

Patch, then assume compromise.

The vulnerable Board/debug API should be modified so that MQTT command submission and forwarding to the HiveMQ broker require strong authentication and authorization checks before any payload is accepted or relayed. Debug functionality that can issue or proxy device-control messages should not be exposed to unauthenticated users or internet-facing clients. If this endpoint is not required in production, it should be removed or disabled. Access controls should be enforced server-side for every command path, and any trust relationship between the Board service and the broker should be constrained so the service cannot act as an unauthenticated command proxy. The provided content does not include a vendor-issued patch version or fixed build identifier.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
AqaraBoard Serviceapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-50085
NVD
nvd.nist.gov/vuln/detail/CVE-2026-50085
MITRE CWE · CWE-306
Missing Authentication for Critical Function
github.com
github.com/xn0tsa/theres-no-place-like-home
runzero.com
runzero.com/advisories/aqara-board-iot-insecure-debug-api-cve-2026-50085