Meari OpenAPI device status IDOR

Executive summary #

In Meari client applications embedding "com.meari.sdk" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label <= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side authorization failure in "GET /openapi/device/status".

The static signing key embedded in client apps (for example CloudEdge 5.5.0 build 220 and Arenti 1.8.1 build 220) lowers the barrier to exploitation, but the root vulnerability is missing authorization in the API itself. The resulting WAN IP disclosure enables geolocation of consumer camera installations.

This is an instance of CWE-862: Missing Authorization, and has an estimated CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5, High).

Technical details #

Further technical details can be found at the original disclosure, Nobody Puts Baby In A Corner.

Attacker value #

This issue enables mass mapping of deployed cameras to network locations without authentication, supporting stalking, reconnaissance, and target profiling. It is especially useful for selecting high-value or vulnerable households.

When chained with CVE-2026-33356, attackers can first discover valid device identifiers from global MQTT traffic and then enrich those records with network geolocation data via OpenAPI queries.

Credit #

These issues were discovered, documented, and disclosed by Sammy Azdoufal. CVE coordination was performed by Tod Beardsley of runZero, Inc.

Timeline #

2026-03-11: Issues identified by the researcher, reviewed by runZero, and disclosed to vendor

2026-04-03: Opened VINCE Case VU#579666 with CISA for tracking

2026-April/May: Email comms between the vendor and the researcher, throughout April and May

2026-04-28: Researcher and runZero refined findings

2026-05-06: Confirmed findings and disclosure process with The Verge

2026-05-11: Public disclosure of CVE-2026-33356