CVE-2026-33357 Overview
CVE-2026-33357 is a missing authorization vulnerability [CWE-862] in Meari client applications that embed the com.meari.sdk library. Affected products include CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label applications at version 1.8.x and earlier. The flaw resides in the server-side endpoint GET /openapi/device/status hosted on openapi-euce.mearicloud.com. The endpoint fails to validate that the requesting user owns the target device, allowing an attacker to retrieve WAN IP data for arbitrary devices.
Critical Impact
Unauthenticated network-based attackers can enumerate WAN IP addresses of arbitrary Meari-connected IoT devices, exposing device owners to targeted reconnaissance and follow-on network attacks.
Affected Products
- CloudEdge 5.5.0 build 220 (embedding com.meari.sdk)
- Arenti 1.8.1 build 220 (embedding com.meari.sdk)
- Related Meari white-label client applications version 1.8.x and earlier
Discovery Timeline
- 2026-05-11 - CVE-2026-33357 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-33357
Vulnerability Analysis
The vulnerability is an Insecure Direct Object Reference (IDOR) in the Meari cloud API. Meari client applications integrate com.meari.sdk to communicate with openapi-euce.mearicloud.com for device management. The GET /openapi/device/status endpoint returns device telemetry including the WAN IP address. The server does not enforce ownership checks against the authenticated session and the supplied device identifier. An attacker who supplies a valid device ID receives status information regardless of whether the device belongs to their account.
The disclosed WAN IP data enables geolocation, ISP fingerprinting, and direct probing of victim networks. Information exposed by this endpoint can drive targeted attacks against the home or enterprise network behind the camera.
Root Cause
The root cause is a server-side authorization failure, classified as [CWE-862] Missing Authorization. The endpoint authenticates the caller but does not verify the caller is authorized to query the requested device. Client-side trust in the SDK does not compensate for the missing server-side check.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker enumerates or guesses device identifiers and issues GET /openapi/device/status requests against openapi-euce.mearicloud.com. Each successful request returns WAN IP data for the targeted device. Public proof-of-concept material is referenced in the GitHub PoC Repository and the RunZero Security Advisory.
No verified exploit code is reproduced here. See the linked advisories for request structure and parameter details.
Detection Methods for CVE-2026-33357
Indicators of Compromise
- Outbound requests from client applications or scripts to openapi-euce.mearicloud.com/openapi/device/status containing device identifiers not associated with the source account.
- High-volume sequential or enumerated device ID queries against the Meari OpenAPI host.
- Unexpected mobile or server-side processes making repeated calls to mearicloud.com endpoints outside normal application usage.
Detection Strategies
- Monitor egress traffic for connections to *.mearicloud.com and baseline normal request volumes per device and per account.
- Inspect TLS Server Name Indication (SNI) and DNS logs for queries to openapi-euce.mearicloud.com originating from non-mobile hosts.
- Correlate Meari API access patterns with device inventory to identify queries for unowned devices.
Monitoring Recommendations
- Ingest network telemetry, DNS, and proxy logs into a centralized analytics platform to track API enumeration patterns.
- Alert on sudden spikes in GET /openapi/device/status requests or responses containing public IP fields.
- Track WAN IP exposure of internal IoT devices through threat intelligence feeds referencing the RunZero advisory.
How to Mitigate CVE-2026-33357
Immediate Actions Required
- Inventory deployed Meari-based devices including CloudEdge, Arenti, and white-label cameras to identify exposure.
- Restrict outbound network access from IoT segments to only required cloud endpoints and block lateral access from cameras to sensitive networks.
- Contact device vendors and Meari for fixed firmware and SDK builds; apply any vendor-supplied updates that address the authorization check.
Patch Information
No vendor patch identifier is referenced in the NVD entry at publication. The fix must be applied server-side at openapi-euce.mearicloud.com by enforcing device ownership validation on GET /openapi/device/status. Refer to the RunZero Security Advisory for current remediation status.
Workarounds
- Place affected IoT devices behind a network address translation (NAT) boundary and avoid exposing management traffic to untrusted networks.
- Rotate or replace device identifiers if the vendor provides a mechanism, reducing the value of any previously enumerated IDs.
- Where feasible, disable cloud connectivity on affected cameras and operate them through local-only protocols until a server-side fix is confirmed.
# Example egress restriction for an IoT VLAN (illustrative)
# Block IoT segment from reaching Meari OpenAPI host pending vendor fix
iptables -A FORWARD -s 10.20.30.0/24 -d openapi-euce.mearicloud.com -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
