ByteOS Network

NVD Vulnerability Details :

CVE-2026-50085

Awaiting Analysis

Source-44488dab-36db-4358-99f9-bc116477f914

Published At-12 Jun, 2026 | 16:16

Updated At-12 Jun, 2026 | 17:16

The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	8.6	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Type: Secondary

Version: 3.1

Base score: 8.6

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Weaknesses

CWE ID	Type	Source
CWE-306	Secondary	44488dab-36db-4358-99f9-bc116477f914

CWE ID: CWE-306

Type: Secondary

Source: 44488dab-36db-4358-99f9-bc116477f914

References

Hyperlink	Source	Resource
https://github.com/xn0tsa/theres-no-place-like-home	44488dab-36db-4358-99f9-bc116477f914	N/A
https://www.runzero.com/advisories/aqara-board-iot-insecure-debug-api-cve-2026-50085	44488dab-36db-4358-99f9-bc116477f914	N/A
https://github.com/xn0tsa/theres-no-place-like-home	134c704f-9b21-4f2e-91b3-4a467353bcc0	N/A