Description
In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys.
Published: 2026-05-11
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from hardcoded cryptographic keys embedded in the Meari IoT SDK. The exposed secrets include API signing material, a key used to secure password transport, and service access keys. This weakness falls under CWE‑321, which allows an attacker to forge authenticated requests, intercept secure credentials, and potentially gain unauthorized service access. Consequently, confidentiality and integrity of communications with Meari devices and their backend services may be compromised.

Affected Systems

Affected products are the Meari SDK integrated into CloudEdge 5.5.0 (build 220) and Arenti 1.8.1 (build 220), as well as various white‑label Android applications distributed at version 1.8.x or earlier. These versions contain the hardcoded keys that are common across the product line.

Risk and Exploitability

With a CVSS score of 8.6, this issue is considered high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely local or via a compromised device: any party that can read the binary or otherwise access the device internals can extract the keys and use them to impersonate the device or eavesdrop on sensitive data. While the exploitation requirement is modest, the potential impact on confidentiality and authentication integrity is significant.

Generated by OpenCVE AI on May 11, 2026 at 17:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware or SDK update that removes the hardcoded cryptographic keys.
  • If an update is not available, revoke all exposed keys—API signing certificates, service access credentials, and password‑transport keys—and reconfigure the devices to use fresh, securely distributed keys.
  • Restrict network exposure of affected devices by isolating them from public networks, enforcing strict access controls, and monitoring for anomalous traffic patterns that might indicate misuse of the compromised keys.

Generated by OpenCVE AI on May 11, 2026 at 17:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Meari
Meari com.meari.sdk
Vendors & Products Meari
Meari com.meari.sdk

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys.
Title Meari SDK hardcoded cryptographic keys
Weaknesses CWE-321
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Meari Com.meari.sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-05-11T18:15:45.783Z

Reserved: 2026-03-19T00:27:05.987Z

Link: CVE-2026-33362

cve-icon Vulnrichment

Updated: 2026-05-11T18:15:42.048Z

cve-icon NVD

Status : Received

Published: 2026-05-11T17:16:31.083

Modified: 2026-05-11T17:16:31.083

Link: CVE-2026-33362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:56Z

Weaknesses