Skip to main content

Meari IoT Cloud CVE-2026-33359

| EUVDEUVD-2026-29104 HIGH
Missing Authorization (CWE-862)
2026-05-11 runZero GHSA-fxwq-qqhr-34q4
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 11, 2026 - 16:46 vuln.today
CVE Published
May 11, 2026 - 16:03 nvd
HIGH 7.5

DescriptionCVE.org

In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.

AnalysisAI

Unauthenticated access to motion detection snapshots in Meari IoT Cloud allows remote attackers to retrieve security camera alert images stored on Alibaba OSS without authentication, signed URLs, or expiry enforcement. The vulnerability exposes IoT camera surveillance footage through predictable direct object references with confirmed proof-of-concept code publicly available. With CVSS 7.5 (High) and no authentication required (PR:N), this poses significant privacy risk to Meari camera deployments, though no active exploitation is confirmed via CISA KEV at time of analysis.

Technical ContextAI

Meari IoT Cloud leverages Alibaba Object Storage Service (OSS) as backend storage for motion detection alert images captured by connected security cameras. The implementation fails to enforce CWE-862 (Missing Authorization) controls on stored objects. Specifically, the system generates predictable direct object reference URLs to alert snapshots that lack cryptographic signatures, time-based expiration tokens, or authentication middleware validation. This architectural flaw in the cloud API integration allows URLs to function as bearer tokens with indefinite validity. Alibaba OSS itself supports signed URL generation with expiration policies, but Meari's implementation does not utilize these security features. The CPE identifier cpe:2.3:a:meari:alibaba_oss_hosted:*:*:*:*:*:*:*:* indicates all observed versions of the Meari cloud platform using Alibaba OSS are affected, with no version upper bound specified.

RemediationAI

Organizations using Meari IoT Cloud should immediately contact Meari vendor support to confirm patch availability and implementation timeline, as no vendor-released patch is identified at time of analysis. Until a fix is deployed, implement network-level access controls: restrict Meari cloud API endpoints to authenticated users via reverse proxy or API gateway with enforced authentication middleware, though this may break legitimate mobile app functionality if Meari's client applications cannot adapt to added authentication layers (trade-off: security versus operational continuity). For high-sensitivity deployments, disable cloud storage of motion alerts entirely if Meari devices support local-only recording modes, accepting the trade-off of losing remote alert notification features. Network administrators should monitor for unusual access patterns to known Meari alert image URL patterns and consider rate-limiting requests to Alibaba OSS domains associated with Meari tenancy. Consult the runZero advisory at https://www.runzero.com/advisories/meari-unauthenticated-alert-image-access-in-cloud-object-storage-cve-2026-33359/ for additional technical guidance and IoC patterns. If Meari provides a configuration option to enable signed URLs with expiration on Alibaba OSS, enable it immediately, though such functionality has not been confirmed to exist in current implementations.

Share

CVE-2026-33359 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy