CVE-2026-33359
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Meari | Alibaba OSS Hosted | April, 2026 | affected |
Weaknesses
- CWE-862: CWE-862 Missing Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/xn0tsa/nobody-puts-baby-in-a-corner
- https://www.runzero.com/advisories/meari-unauthenticated-alert-image-access-in-cloud-object-storage-cve-2026-33359/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.