Description
In Meari client applications embedding "com.meari.sdk" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label <= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in "GET /openapi/device/status".
Published: 2026-05-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A server‑side authorization failure in the "GET /openapi/device/status" endpoint allows an attacker to retrieve the WAN IP address and other status data for any device managed by the Meari client applications. The flaw exposes network information that could be used to map internal networks or locate devices. The vulnerability falls under CWE‑862, reflecting a missing access control check that permits an unauthorized user to obtain protected information.

Affected Systems

The flaw is present in Meari client applications that embed the "com.meari.sdk" library, including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and all related white‑label implementations through version 1.8.x. These affected systems expose the vulnerable API endpoint to external network traffic.

Risk and Exploitability

The CVSS score of 7.5 indicates a high‑severity information‑disclosure risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not been actively exploited in the wild as of the latest data. Exploitation requires only the ability to send a crafted HTTP request to the openapi‑euce.mearicloud.com endpoint and supply a valid device identifier; no authentication or privileged credentials are required. The attack vector is remote access over the network.

Generated by OpenCVE AI on May 11, 2026 at 17:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest firmware or patch that addresses the missing authorization check in the device status API.
  • Disable or restrict external access to the openapi‑euce.mearicloud.com endpoint if it is not required for operational purposes.
  • Monitor API traffic for anomalous or unauthorized status requests and review logs for evidence of exploitation attempts.

Generated by OpenCVE AI on May 11, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Meari
Meari com.meari.sdk
Vendors & Products Meari
Meari com.meari.sdk

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description In Meari client applications embedding "com.meari.sdk" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label <= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in "GET /openapi/device/status".
Title Meari OpenAPI device status IDOR
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Meari Com.meari.sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-05-11T18:18:25.334Z

Reserved: 2026-03-19T00:27:05.986Z

Link: CVE-2026-33357

cve-icon Vulnrichment

Updated: 2026-05-11T18:18:22.365Z

cve-icon NVD

Status : Received

Published: 2026-05-11T17:16:30.730

Modified: 2026-05-11T17:16:30.730

Link: CVE-2026-33357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:23:00Z

Weaknesses