CVE-2026-33359 PUBLISHED

Meari unauthenticated alert image access in cloud object storage

Assigner: runZero
Reserved: 19.03.2026 Published: 11.05.2026 Updated: 11.05.2026

In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 7.5

Product Status

Vendor Meari
Product Alibaba OSS Hosted
Versions Default: unaffected
  • Version April, 2026 is affected

Credits

  • Sammy Azdoufal finder
  • Tod Beardsley of runZero, Inc. coordinator

References

Problem Types

  • CWE-862 Missing Authorization CWE