Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-50085

Summary
Assigner-runZero
Assigner Org ID-44488dab-36db-4358-99f9-bc116477f914
Published At-12 Jun, 2026 | 15:01
Updated At-12 Jun, 2026 | 15:54
Rejected At-
Credits

Aqara Board IoT insecure debug API

The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:runZero
Assigner Org ID:44488dab-36db-4358-99f9-bc116477f914
Published At:12 Jun, 2026 | 15:01
Updated At:12 Jun, 2026 | 15:54
Rejected At:
â–¼CVE Numbering Authority (CNA)
Aqara Board IoT insecure debug API

The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.

Affected Products
Vendor
Aqara
Product
Board service
Default Status
unaffected
Versions
Affected
  • From 2026-04-20 before 0 (date)
Problem Types
TypeCWE IDDescription
CWECWE-306CWE-306 Missing authentication for critical function
Type: CWE
CWE ID: CWE-306
Description: CWE-306 Missing authentication for critical function
Metrics
VersionBase scoreBase severityVector
3.18.6HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Sammy Azdoufal
coordinator
Tod Beardsley of runZero, Inc.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/xn0tsa/theres-no-place-like-home
technical-description
https://www.runzero.com/advisories/aqara-board-iot-insecure-debug-api-cve-2026-50085
third-party-advisory
Hyperlink: https://github.com/xn0tsa/theres-no-place-like-home
Resource:
technical-description
Hyperlink: https://www.runzero.com/advisories/aqara-board-iot-insecure-debug-api-cve-2026-50085
Resource:
third-party-advisory
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/xn0tsa/theres-no-place-like-home
exploit
Hyperlink: https://github.com/xn0tsa/theres-no-place-like-home
Resource:
exploit
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:44488dab-36db-4358-99f9-bc116477f914
Published At:12 Jun, 2026 | 16:16
Updated At:12 Jun, 2026 | 17:16

The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.6HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Type: Secondary
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-306Secondary44488dab-36db-4358-99f9-bc116477f914
CWE ID: CWE-306
Type: Secondary
Source: 44488dab-36db-4358-99f9-bc116477f914
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/xn0tsa/theres-no-place-like-home44488dab-36db-4358-99f9-bc116477f914
N/A
https://www.runzero.com/advisories/aqara-board-iot-insecure-debug-api-cve-2026-5008544488dab-36db-4358-99f9-bc116477f914
N/A
https://github.com/xn0tsa/theres-no-place-like-home134c704f-9b21-4f2e-91b3-4a467353bcc0
N/A
Hyperlink: https://github.com/xn0tsa/theres-no-place-like-home
Source: 44488dab-36db-4358-99f9-bc116477f914
Resource: N/A
Hyperlink: https://www.runzero.com/advisories/aqara-board-iot-insecure-debug-api-cve-2026-50085
Source: 44488dab-36db-4358-99f9-bc116477f914
Resource: N/A
Hyperlink: https://github.com/xn0tsa/theres-no-place-like-home
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

7Records found
CVE-2026-50082
Matching Score-6
Assigner-44488dab-36db-4358-99f9-bc116477f914
ShareView Details
Matching Score-6
Assigner-44488dab-36db-4358-99f9-bc116477f914
CVSS Score-6.5||MEDIUM
EPSS-Not Assigned
Published-12 Jun, 2026 | 15:00
Updated-12 Jun, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Aqara Developer Portal insecure authentication token

The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5 Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, any otherwise-unauthenticated attacker could execute a full takeover of affected devices.

Action-Not Available
Vendor-Aqara
Product-Cloud Developer Portal
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-61673
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-0.44% / 63.60%
||
7 Day CHG+0.04%
Published-03 Oct, 2025 | 21:12
Updated-06 Oct, 2025 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Karapace is vulnerable to Authentication Bypass

Karapace is an open-source implementation of Kafka REST and Schema Registry. Versions 5.0.0 and 5.0.1 contain an authentication bypass vulnerability when configured to use OAuth 2.0 Bearer Token authentication. If a request is sent without an Authorization header, the token validation logic is skipped entirely, allowing an unauthenticated user to read and write to Schema Registry endpoints that should otherwise be protected. This effectively renders the OAuth authentication mechanism ineffective. This issue is fixed in version 5.0.2.

Action-Not Available
Vendor-Aiven
Product-karapace
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-33719
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-0.14% / 34.05%
||
7 Day CHG~0.00%
Published-23 Mar, 2026 | 18:49
Updated-25 Mar, 2026 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AVideo Vulnerable to Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment in status.json.php

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured (the default state), the key validation check is completely bypassed, allowing any unauthenticated attacker to modify the full CDN configuration — including CDN URLs, storage credentials, and the authentication key itself — via mass-assignment through the `par` request parameter. Commit adeff0a31ba04a56f411eef256139fd7ed7d4310 contains a patch.

Action-Not Available
Vendor-wwbnWWBN
Product-avideoAVideo
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-39310
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-0.07% / 21.96%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 19:05
Updated-21 May, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Trilium Notes: Authentication Bypass in Clipper API for Electron (Desktop) Builds

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Clipper API in Trilium Desktop (v0.101.3) allows full authentication bypass when running in an Electron environment. When Trilium detects an Electron environment, it explicitly disables authentication middleware for the Clipper API, exposing endpoints such as /api/clipper/notes to the network with no password, API token, or CSRF protection. An attacker on a shared network (for example, a corporate LAN or public Wi-Fi) can scan for open high-range ports using a tool like nmap, since Trilium often binds to ports such as 37840. Once a candidate port is found, an unauthenticated request to the Clipper handshake endpoint, which also bypasses authentication, confirms a Trilium instance by returning the application name and protocol version. This facilitates unauthorized data access, phishing, and local system compromise. The issue has been fixed in version 0.102.2.

Action-Not Available
Vendor-TriliumNext
Product-Trilium
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2023-25014
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.6||HIGH
EPSS-0.55% / 68.36%
||
7 Day CHG~0.00%
Published-02 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users.

Action-Not Available
Vendor-in2coden/a
Product-femanagern/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-862
Missing Authorization
CVE-2023-25013
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.6||HIGH
EPSS-0.55% / 68.36%
||
7 Day CHG~0.00%
Published-02 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to set the password of all frontend users.

Action-Not Available
Vendor-in2coden/a
Product-femanagern/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-13933
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-8.6||HIGH
EPSS-0.71% / 72.73%
||
7 Day CHG~0.00%
Published-16 Jan, 2020 | 00:00
Updated-05 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SCALANCE X204RNA (HSR), SCALANCE X204RNA (PRP), SCALANCE X204RNA EEC (HSR), SCALANCE X204RNA EEC (PRP), SCALANCE X204RNA EEC (PRP/HSR), SCALANCE X302-7 EEC (230V), SCALANCE X302-7 EEC (230V, coated), SCALANCE X302-7 EEC (24V), SCALANCE X302-7 EEC (24V, coated), SCALANCE X302-7 EEC (2x 230V), SCALANCE X302-7 EEC (2x 230V, coated), SCALANCE X302-7 EEC (2x 24V), SCALANCE X302-7 EEC (2x 24V, coated), SCALANCE X304-2FE, SCALANCE X306-1LD FE, SCALANCE X307-2 EEC (230V), SCALANCE X307-2 EEC (230V, coated), SCALANCE X307-2 EEC (24V), SCALANCE X307-2 EEC (24V, coated), SCALANCE X307-2 EEC (2x 230V), SCALANCE X307-2 EEC (2x 230V, coated), SCALANCE X307-2 EEC (2x 24V), SCALANCE X307-2 EEC (2x 24V, coated), SCALANCE X307-3, SCALANCE X307-3, SCALANCE X307-3LD, SCALANCE X307-3LD, SCALANCE X308-2, SCALANCE X308-2, SCALANCE X308-2LD, SCALANCE X308-2LD, SCALANCE X308-2LH, SCALANCE X308-2LH, SCALANCE X308-2LH+, SCALANCE X308-2LH+, SCALANCE X308-2M, SCALANCE X308-2M, SCALANCE X308-2M PoE, SCALANCE X308-2M PoE, SCALANCE X308-2M TS, SCALANCE X308-2M TS, SCALANCE X310, SCALANCE X310, SCALANCE X310FE, SCALANCE X310FE, SCALANCE X320-1 FE, SCALANCE X320-1-2LD FE, SCALANCE X408-2, SCALANCE XR324-12M (230V, ports on front), SCALANCE XR324-12M (230V, ports on front), SCALANCE XR324-12M (230V, ports on rear), SCALANCE XR324-12M (230V, ports on rear), SCALANCE XR324-12M (24V, ports on front), SCALANCE XR324-12M (24V, ports on front), SCALANCE XR324-12M (24V, ports on rear), SCALANCE XR324-12M (24V, ports on rear), SCALANCE XR324-12M TS (24V), SCALANCE XR324-12M TS (24V), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear), SCALANCE XR324-4M EEC (24V, ports on front), SCALANCE XR324-4M EEC (24V, ports on front), SCALANCE XR324-4M EEC (24V, ports on rear), SCALANCE XR324-4M EEC (24V, ports on rear), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear), SCALANCE XR324-4M EEC (2x 24V, ports on front), SCALANCE XR324-4M EEC (2x 24V, ports on front), SCALANCE XR324-4M EEC (2x 24V, ports on rear), SCALANCE XR324-4M EEC (2x 24V, ports on rear), SCALANCE XR324-4M PoE (230V, ports on front), SCALANCE XR324-4M PoE (230V, ports on rear), SCALANCE XR324-4M PoE (24V, ports on front), SCALANCE XR324-4M PoE (24V, ports on rear), SCALANCE XR324-4M PoE TS (24V, ports on front), SIPLUS NET SCALANCE X308-2. Affected devices contain a vulnerability that allows an unauthenticated attacker to violate access-control rules. The vulnerability can be triggered by sending GET request to specific uniform resource locator on the web configuration interface of the device. The security vulnerability could be exploited by an attacker with network access to the affected systems. An attacker could use the vulnerability to obtain sensitive information or change the device configuration. At the time of advisory publication no public exploitation of this security vulnerability was known.

Action-Not Available
Vendor-Siemens AG
Product-scalance_x408-2_firmwarescalance_x-200rnascalance_xr-300scalance_x204rna_firmwarescalance_x-300scalance_x-200rna_firmwarescalance_x-300_firmwarescalance_x408-2scalance_xr-300_firmwarescalance_x204rnasiplus_net_csm_1277_firmwarescalance_xr-300wg_firmwarescalance_xr-300wgsiplus_net_csm_1277SCALANCE XR324-12M TS (24V)SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear)SCALANCE XR324-4M PoE (24V, ports on rear)SCALANCE XR324-4M EEC (24V, ports on front)SCALANCE XR324-12M (230V, ports on rear)SCALANCE X307-2 EEC (2x 24V, coated)SCALANCE XR324-4M PoE TS (24V, ports on front)SCALANCE X307-3SCALANCE X308-2MSCALANCE XR324-12M (24V, ports on rear)SCALANCE X308-2SCALANCE X308-2M PoESCALANCE X310FESCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front)SCALANCE X308-2LH+SCALANCE X302-7 EEC (24V, coated)SCALANCE X307-2 EEC (230V, coated)SCALANCE X204RNA EEC (PRP)SCALANCE X307-3LDSCALANCE X308-2LHSCALANCE XR324-4M EEC (24V, ports on rear)SCALANCE X204RNA (PRP)SCALANCE XR324-4M PoE (24V, ports on front)SCALANCE X302-7 EEC (2x 230V)SCALANCE X408-2SIPLUS NET SCALANCE X308-2SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front)SCALANCE XR324-4M PoE (230V, ports on rear)SCALANCE X302-7 EEC (230V)SCALANCE X307-2 EEC (24V, coated)SCALANCE X307-2 EEC (2x 230V, coated)SCALANCE X302-7 EEC (2x 24V, coated)SCALANCE X308-2LDSCALANCE X307-2 EEC (24V)SCALANCE X204RNA EEC (HSR)SCALANCE X304-2FESCALANCE X310SCALANCE X307-2 EEC (2x 24V)SCALANCE X307-2 EEC (230V)SCALANCE X204RNA (HSR)SCALANCE XR324-12M (24V, ports on front)SCALANCE X320-1 FESCALANCE X302-7 EEC (2x 24V)SCALANCE X306-1LD FESCALANCE X308-2M TSSCALANCE XR324-4M PoE (230V, ports on front)SCALANCE X307-2 EEC (2x 230V)SCALANCE X302-7 EEC (230V, coated)SCALANCE X302-7 EEC (24V)SCALANCE X302-7 EEC (2x 230V, coated)SCALANCE X320-1-2LD FESCALANCE X204RNA EEC (PRP/HSR)SCALANCE XR324-4M EEC (2x 24V, ports on rear)SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear)SCALANCE XR324-12M (230V, ports on front)SCALANCE XR324-4M EEC (2x 24V, ports on front)
CWE ID-CWE-306
Missing Authentication for Critical Function
Details not found