CVE-2026-33359
Meari · IoT Cloud (Alibaba OSS)
A missing authorization vulnerability in Meari IoT Cloud storage allows unauthenticated access to motion snapshot images hosted on Alibaba OSS.
Executive summary
Unauthenticated access to motion snapshots in Meari IoT Cloud storage (April 2026) presents a critical privacy risk due to missing authorization controls.
Vulnerability
This vulnerability involves missing authorization (CWE-862) where motion snapshots can be retrieved by any user without authentication, signed URLs, or expiry enforcement. This is an unauthenticated vulnerability accessible via the network (AV:N).
Business impact
The exposure of motion snapshots could lead to significant privacy violations and the unauthorized disclosure of visual data captured by IoT devices. With a CVSS score of 7.5, the vulnerability is classified as high severity due to the ease of exploitation and the direct impact on user privacy.
Remediation
Immediate Action: Immediately restrict public access to the Alibaba OSS bucket associated with Meari IoT Cloud and verify that all objects require proper authentication.
Proactive Monitoring: Review access logs for Alibaba OSS to identify any unauthorized requests for motion snapshot files.
Compensating Controls: Implement strict IAM policies on the cloud storage service to enforce private access and ensure that all generated URLs are time-limited and signed.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The vendor must urgently implement authorization checks for all cloud-hosted media files. Users and administrators should treat the affected storage environment as compromised until proper access controls are verified and enforced.