CVE-2026-33359 | THREATINT

Description

In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.

PUBLISHED Reserved 2026-03-19 | Published 2026-05-11 | Updated 2026-05-11 | Assigner runZero

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status

unaffected

April, 2026 (date)

affected

Credits

Sammy Azdoufal finder

Tod Beardsley of runZero, Inc. coordinator

References

github.com/xn0tsa/nobody-puts-baby-in-a-corner technical-description

www.runzero.com/...s-in-cloud-object-storage-cve-2026-33359/ third-party-advisory

cve.org (CVE-2026-33359)

nvd.nist.gov (CVE-2026-33359)

Download JSON