CVE-2026-33359

EUVD-2026-29104
In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 14%
Common Weakness Enumeration
References
https://github.com/xn0tsa/nobody-puts-baby-in-a-corner
https://www.runzero.com/advisories/meari-unauthenticated-alert-image-access-in-cloud-object-storage-cve-2026-33359/