Skip to main content

Meari SDK CVE-2026-33357

| EUVDEUVD-2026-29103 HIGH
Missing Authorization (CWE-862)
2026-05-11 runZero GHSA-mg5x-6x36-w8v4
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 11, 2026 - 16:45 vuln.today
CVE Published
May 11, 2026 - 16:02 nvd
HIGH 7.5

DescriptionCVE.org

In Meari client applications embedding "com.meari.sdk" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label <= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in "GET /openapi/device/status".

AnalysisAI

Server-side authorization bypass in Meari SDK (com.meari.sdk) exposes WAN IP addresses of arbitrary IoT devices to unauthenticated remote attackers. Affects CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and white-label applications ≤1.8.x that embed the SDK. Attackers can enumerate device IPs by exploiting the openapi-euce.mearicloud.com endpoint without authentication (CVSS AV:N/PR:N), enabling reconnaissance for targeted attacks against exposed cameras and IoT infrastructure. EPSS data not available; no CISA KEV listing at time of analysis. Public vulnerability disclosure with technical details published by runZero.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization) in the Meari cloud API infrastructure. The SDK - embedded in multiple white-label IoT camera applications - makes REST calls to openapi-euce.mearicloud.com for device management. The GET /openapi/device/status endpoint returns device metadata including WAN IP addresses without validating that the requesting client is authorized to access the queried device. This is a classic IDOR (Insecure Direct Object Reference) vulnerability where lack of server-side access control allows enumeration of resources across tenant boundaries. The affected CPE cpe:2.3:a:meari:com.meari.sdk indicates the vulnerability resides in the SDK library itself, meaning any application integrating this component inherits the flaw until updated. The server-side nature means client-side SDK updates alone may be insufficient if the cloud API backend remains unpatched.

RemediationAI

Primary remediation requires server-side fix from Meari to implement proper authorization checks on the GET /openapi/device/status endpoint. Users should upgrade CloudEdge to version later than 5.5.0 build 220 and Arenti to version later than 1.8.1 build 220 once patched versions are released (patch availability not confirmed at time of analysis - monitor vendor channels). For white-label deployments, contact device manufacturer for SDK update timeline. Compensating controls: implement network segmentation to isolate IoT cameras on dedicated VLAN with restricted internet access, reducing exposure of WAN IPs through the cloud API. Deploy firewall rules limiting outbound connections from cameras to only essential cloud endpoints, though this may break cloud management features. Monitor API access logs for unusual device status queries if available. Organizations can reduce attack surface by disabling cloud connectivity and using local-only camera management where operationally feasible, though this eliminates remote access capabilities. Consult runZero advisory for updated remediation guidance: https://www.runzero.com/advisories/meari-openapi-device-status-idor-cve-2026-33357/.

Share

CVE-2026-33357 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy