Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
In Meari client applications embedding "com.meari.sdk" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label <= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in "GET /openapi/device/status".
AnalysisAI
Server-side authorization bypass in Meari SDK (com.meari.sdk) exposes WAN IP addresses of arbitrary IoT devices to unauthenticated remote attackers. Affects CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and white-label applications ≤1.8.x that embed the SDK. Attackers can enumerate device IPs by exploiting the openapi-euce.mearicloud.com endpoint without authentication (CVSS AV:N/PR:N), enabling reconnaissance for targeted attacks against exposed cameras and IoT infrastructure. EPSS data not available; no CISA KEV listing at time of analysis. Public vulnerability disclosure with technical details published by runZero.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization) in the Meari cloud API infrastructure. The SDK - embedded in multiple white-label IoT camera applications - makes REST calls to openapi-euce.mearicloud.com for device management. The GET /openapi/device/status endpoint returns device metadata including WAN IP addresses without validating that the requesting client is authorized to access the queried device. This is a classic IDOR (Insecure Direct Object Reference) vulnerability where lack of server-side access control allows enumeration of resources across tenant boundaries. The affected CPE cpe:2.3:a:meari:com.meari.sdk indicates the vulnerability resides in the SDK library itself, meaning any application integrating this component inherits the flaw until updated. The server-side nature means client-side SDK updates alone may be insufficient if the cloud API backend remains unpatched.
RemediationAI
Primary remediation requires server-side fix from Meari to implement proper authorization checks on the GET /openapi/device/status endpoint. Users should upgrade CloudEdge to version later than 5.5.0 build 220 and Arenti to version later than 1.8.1 build 220 once patched versions are released (patch availability not confirmed at time of analysis - monitor vendor channels). For white-label deployments, contact device manufacturer for SDK update timeline. Compensating controls: implement network segmentation to isolate IoT cameras on dedicated VLAN with restricted internet access, reducing exposure of WAN IPs through the cloud API. Deploy firewall rules limiting outbound connections from cameras to only essential cloud endpoints, though this may break cloud management features. Monitor API access logs for unusual device status queries if available. Organizations can reduce attack surface by disabling cloud connectivity and using local-only camera management where operationally feasible, though this eliminates remote access capabilities. Consult runZero advisory for updated remediation guidance: https://www.runzero.com/advisories/meari-openapi-device-status-idor-cve-2026-33357/.
More in Com Meari Sdk
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29103
GHSA-mg5x-6x36-w8v4