Home

Description

Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded Cryptographic Key" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical).

PUBLISHED Reserved 2026-06-03 | Published 2026-06-12 | Updated 2026-06-12 | Assigner runZero




CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-321 Use of hard-coded cryptographic key

Product status

Default status
unaffected

6.0.0 (semver) before 0
affected

Credits

Sammy Azdoufal finder

Tod Beardsley of runZero, Inc. coordinator

References

github.com/xn0tsa/theres-no-place-like-home exploit

github.com/xn0tsa/theres-no-place-like-home technical-description

www.runzero.com/...s/aqara-hardcoded-sdk-keys-cve-2026-50091 third-party-advisory

cve.org (CVE-2026-50091)

nvd.nist.gov (CVE-2026-50091)

Download JSON