Description
In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.
Published: 2026-05-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Meari IoT Cloud’s handling of alert image storage on Alibaba OSS. An unauthenticated user can retrieve motion snapshot images through direct URL references that lack authentication checks, signed URL enforcement, or expiration enforcement. This results in a breach of confidentiality, allowing attackers to view private video content without authorization, thereby violating privacy and potentially providing sensitive situational data to malicious actors. The weakness is classified as CWE‑862, indicating a missing authorization check.

Affected Systems

Affected systems include Meari IoT Cloud services that utilize Alibaba OSS for storing alert images. No specific versioning information for the storage service is disclosed, but the issue was observed in the latest configuration available at the time of discovery.

Risk and Exploitability

The CVSS score of 7.5 signals a high severity vulnerability, and while the EPSS score is not available, the lack of authentication requirements and persistent URLs suggest a high likelihood of exploitation by remote actors. The vulnerability is not currently listed in the CISA KEV catalog. The attack vector is inferred to be remote, requiring only an HTTP request to a public URL, which an attacker can discover or brute‑force. By exploiting this flaw, an adversary could systematically harvest motion snapshots, gaining insight into users’ environments and potentially orchestrating further attacks.

Generated by OpenCVE AI on May 11, 2026 at 17:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Meari IoT Cloud firmware or configuration to enforce strict authorization checks before serving alert image URLs.
  • Configure Alibaba OSS bucket policies or access control lists to deny public read access and require authentication for all motion snapshot objects.
  • Implement signed URLs with short expiry times for any required public access, and continually audit object permissions to ensure no unauthorized URLs remain valid.

Generated by OpenCVE AI on May 11, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Meari
Meari alibaba Oss Hosted
Vendors & Products Meari
Meari alibaba Oss Hosted

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.
Title Meari unauthenticated alert image access in cloud object storage
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Meari Alibaba Oss Hosted
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-05-11T18:18:06.184Z

Reserved: 2026-03-19T00:27:05.987Z

Link: CVE-2026-33359

cve-icon Vulnrichment

Updated: 2026-05-11T18:18:02.281Z

cve-icon NVD

Status : Received

Published: 2026-05-11T17:16:30.843

Modified: 2026-05-11T17:16:30.843

Link: CVE-2026-33359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:59Z

Weaknesses