Search

Find a vulnerability

Search criteria

    10 vulnerabilities by Meari

    CVE-2026-33362 (GCVE-0-2026-33362)

    Vulnerability from nvd – Published: 2026-05-11 16:04 – Updated: 2026-05-11 18:15
    VLAI
    Title
    Meari SDK hardcoded cryptographic keys
    Summary
    In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meari com.meari.sdk Affected: firmID=8 (custom)
    Create a notification for this product.
    Date Public
    2026-05-11 16:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33362",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:15:31.897348Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:15:45.783Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "com.meari.sdk",
              "vendor": "Meari",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmID=8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-05-11T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps \u0026lt;= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys.\u003cbr\u003e"
                }
              ],
              "value": "In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps \u003c= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321 Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:04:16.704Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/meari-sdk-hardcoded-cryptographic-keys-cve-2026-33362/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Meari SDK hardcoded cryptographic keys",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-33362",
        "datePublished": "2026-05-11T16:04:16.704Z",
        "dateReserved": "2026-03-19T00:27:05.987Z",
        "dateUpdated": "2026-05-11T18:15:45.783Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33361 (GCVE-0-2026-33361)

    Vulnerability from nvd – Published: 2026-05-11 16:03 – Updated: 2026-05-11 18:17
    VLAI
    Title
    Meari weak XOR obfuscation
    Summary
    In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-326 - Inadequate Encryption Strength
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meari com.meari.sdk Affected: firmID=8 (custom)
    Create a notification for this product.
    Date Public
    2026-05-11 16:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33361",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:17:34.883672Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:17:43.933Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "com.meari.sdk",
              "vendor": "Meari",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmID=8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-05-11T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (\u0026lt;= 1.8.x), baby monitor \".jpgx3\" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.\u003cbr\u003e"
                }
              ],
              "value": "In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (\u003c= 1.8.x), baby monitor \".jpgx3\" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-326",
                  "description": "CWE-326 Inadequate Encryption Strength",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:03:55.746Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/meari-weak-xor-obfuscation-cve-2026-33361/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Meari weak XOR obfuscation",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-33361",
        "datePublished": "2026-05-11T16:03:55.746Z",
        "dateReserved": "2026-03-19T00:27:05.987Z",
        "dateUpdated": "2026-05-11T18:17:43.933Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33359 (GCVE-0-2026-33359)

    Vulnerability from nvd – Published: 2026-05-11 16:03 – Updated: 2026-05-11 18:18 Exclusively Hosted Service
    VLAI
    Title
    Meari unauthenticated alert image access in cloud object storage
    Summary
    In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meari Alibaba OSS Hosted Affected: April, 2026 (date)
    Create a notification for this product.
    Date Public
    2026-05-11 16:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33359",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:17:55.620113Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:18:06.184Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Alibaba OSS Hosted",
              "vendor": "Meari",
              "versions": [
                {
                  "status": "affected",
                  "version": "April, 2026",
                  "versionType": "date"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-05-11T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.\u003cbr\u003e"
                }
              ],
              "value": "In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:03:21.535Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/meari-unauthenticated-alert-image-access-in-cloud-object-storage-cve-2026-33359/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "exclusively-hosted-service"
          ],
          "title": "Meari unauthenticated alert image access in cloud object storage",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-33359",
        "datePublished": "2026-05-11T16:03:21.535Z",
        "dateReserved": "2026-03-19T00:27:05.987Z",
        "dateUpdated": "2026-05-11T18:18:06.184Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33357 (GCVE-0-2026-33357)

    Vulnerability from nvd – Published: 2026-05-11 16:02 – Updated: 2026-05-11 18:18
    VLAI
    Title
    Meari OpenAPI device status IDOR
    Summary
    In Meari client applications embedding "com.meari.sdk" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label <= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in "GET /openapi/device/status".
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meari com.meari.sdk Affected: firmID=8 (custom)
    Create a notification for this product.
    Date Public
    2026-05-11 16:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33357",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:18:17.383807Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:18:25.334Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "com.meari.sdk",
              "vendor": "Meari",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmID=8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-05-11T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Meari client applications embedding \"com.meari.sdk\" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label \u0026lt;= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in \"GET /openapi/device/status\"."
                }
              ],
              "value": "In Meari client applications embedding \"com.meari.sdk\" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label \u003c= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in \"GET /openapi/device/status\"."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:02:40.597Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/meari-openapi-device-status-idor-cve-2026-33357/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Meari OpenAPI device status IDOR",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-33357",
        "datePublished": "2026-05-11T16:02:40.597Z",
        "dateReserved": "2026-03-19T00:27:05.986Z",
        "dateUpdated": "2026-05-11T18:18:25.334Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33356 (GCVE-0-2026-33356)

    Vulnerability from nvd – Published: 2026-05-11 16:02 – Updated: 2026-05-11 18:18
    VLAI
    Title
    Meari MQTT broker missing per-device subscribe ACL
    Summary
    In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meari IoT Cloud MQTT Broker EMQX Affected: 4.x (custom)
    Create a notification for this product.
    Date Public
    2026-05-11 16:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33356",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:18:36.704517Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:18:45.410Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "IoT Cloud MQTT Broker EMQX",
              "vendor": "Meari",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-05-11T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope."
                }
              ],
              "value": "In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:02:14.046Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/meari-mqtt-broker-missing-per-device-subscribe-acl-cve-2026-33356/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Meari MQTT broker missing per-device subscribe ACL",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-33356",
        "datePublished": "2026-05-11T16:02:14.046Z",
        "dateReserved": "2026-03-19T00:27:05.986Z",
        "dateUpdated": "2026-05-11T18:18:45.410Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33362 (GCVE-0-2026-33362)

    Vulnerability from cvelistv5 – Published: 2026-05-11 16:04 – Updated: 2026-05-11 18:15
    VLAI
    Title
    Meari SDK hardcoded cryptographic keys
    Summary
    In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meari com.meari.sdk Affected: firmID=8 (custom)
    Create a notification for this product.
    Date Public
    2026-05-11 16:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33362",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:15:31.897348Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:15:45.783Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "com.meari.sdk",
              "vendor": "Meari",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmID=8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-05-11T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps \u0026lt;= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys.\u003cbr\u003e"
                }
              ],
              "value": "In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps \u003c= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321 Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:04:16.704Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/meari-sdk-hardcoded-cryptographic-keys-cve-2026-33362/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Meari SDK hardcoded cryptographic keys",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-33362",
        "datePublished": "2026-05-11T16:04:16.704Z",
        "dateReserved": "2026-03-19T00:27:05.987Z",
        "dateUpdated": "2026-05-11T18:15:45.783Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33361 (GCVE-0-2026-33361)

    Vulnerability from cvelistv5 – Published: 2026-05-11 16:03 – Updated: 2026-05-11 18:17
    VLAI
    Title
    Meari weak XOR obfuscation
    Summary
    In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-326 - Inadequate Encryption Strength
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meari com.meari.sdk Affected: firmID=8 (custom)
    Create a notification for this product.
    Date Public
    2026-05-11 16:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33361",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:17:34.883672Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:17:43.933Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "com.meari.sdk",
              "vendor": "Meari",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmID=8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-05-11T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (\u0026lt;= 1.8.x), baby monitor \".jpgx3\" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.\u003cbr\u003e"
                }
              ],
              "value": "In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (\u003c= 1.8.x), baby monitor \".jpgx3\" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-326",
                  "description": "CWE-326 Inadequate Encryption Strength",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:03:55.746Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/meari-weak-xor-obfuscation-cve-2026-33361/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Meari weak XOR obfuscation",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-33361",
        "datePublished": "2026-05-11T16:03:55.746Z",
        "dateReserved": "2026-03-19T00:27:05.987Z",
        "dateUpdated": "2026-05-11T18:17:43.933Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33359 (GCVE-0-2026-33359)

    Vulnerability from cvelistv5 – Published: 2026-05-11 16:03 – Updated: 2026-05-11 18:18 Exclusively Hosted Service
    VLAI
    Title
    Meari unauthenticated alert image access in cloud object storage
    Summary
    In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meari Alibaba OSS Hosted Affected: April, 2026 (date)
    Create a notification for this product.
    Date Public
    2026-05-11 16:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33359",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:17:55.620113Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:18:06.184Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Alibaba OSS Hosted",
              "vendor": "Meari",
              "versions": [
                {
                  "status": "affected",
                  "version": "April, 2026",
                  "versionType": "date"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-05-11T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.\u003cbr\u003e"
                }
              ],
              "value": "In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:03:21.535Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/meari-unauthenticated-alert-image-access-in-cloud-object-storage-cve-2026-33359/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "exclusively-hosted-service"
          ],
          "title": "Meari unauthenticated alert image access in cloud object storage",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-33359",
        "datePublished": "2026-05-11T16:03:21.535Z",
        "dateReserved": "2026-03-19T00:27:05.987Z",
        "dateUpdated": "2026-05-11T18:18:06.184Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33357 (GCVE-0-2026-33357)

    Vulnerability from cvelistv5 – Published: 2026-05-11 16:02 – Updated: 2026-05-11 18:18
    VLAI
    Title
    Meari OpenAPI device status IDOR
    Summary
    In Meari client applications embedding "com.meari.sdk" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label <= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in "GET /openapi/device/status".
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meari com.meari.sdk Affected: firmID=8 (custom)
    Create a notification for this product.
    Date Public
    2026-05-11 16:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33357",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:18:17.383807Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:18:25.334Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "com.meari.sdk",
              "vendor": "Meari",
              "versions": [
                {
                  "status": "affected",
                  "version": "firmID=8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-05-11T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Meari client applications embedding \"com.meari.sdk\" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label \u0026lt;= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in \"GET /openapi/device/status\"."
                }
              ],
              "value": "In Meari client applications embedding \"com.meari.sdk\" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label \u003c= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in \"GET /openapi/device/status\"."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:02:40.597Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/meari-openapi-device-status-idor-cve-2026-33357/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Meari OpenAPI device status IDOR",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-33357",
        "datePublished": "2026-05-11T16:02:40.597Z",
        "dateReserved": "2026-03-19T00:27:05.986Z",
        "dateUpdated": "2026-05-11T18:18:25.334Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33356 (GCVE-0-2026-33356)

    Vulnerability from cvelistv5 – Published: 2026-05-11 16:02 – Updated: 2026-05-11 18:18
    VLAI
    Title
    Meari MQTT broker missing per-device subscribe ACL
    Summary
    In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meari IoT Cloud MQTT Broker EMQX Affected: 4.x (custom)
    Create a notification for this product.
    Date Public
    2026-05-11 16:00
    Credits
    Sammy Azdoufal Tod Beardsley of runZero, Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33356",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:18:36.704517Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:18:45.410Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "IoT Cloud MQTT Broker EMQX",
              "vendor": "Meari",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.x",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sammy Azdoufal"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tod Beardsley of runZero, Inc."
            }
          ],
          "datePublic": "2026-05-11T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope."
                }
              ],
              "value": "In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:02:14.046Z",
            "orgId": "44488dab-36db-4358-99f9-bc116477f914",
            "shortName": "runZero"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.runzero.com/advisories/meari-mqtt-broker-missing-per-device-subscribe-acl-cve-2026-33356/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Meari MQTT broker missing per-device subscribe ACL",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
        "assignerShortName": "runZero",
        "cveId": "CVE-2026-33356",
        "datePublished": "2026-05-11T16:02:14.046Z",
        "dateReserved": "2026-03-19T00:27:05.986Z",
        "dateUpdated": "2026-05-11T18:18:45.410Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }