Products
| Product | |
| 1 | Alibaba OSS (April 2026 hosted) |
CVE
CVE-2026-33359Executive summary #
In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.
As a result, private indoor and baby-monitor camera images can be accessed by unauthorized parties who obtain links, creating persistent confidentiality exposure independent of account access.
This is an instance of CWE-862: Missing Authorization, and has an estimated CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High).
Technical details #
Further technical details can be found at the original disclosure, Nobody Puts Baby In A Corner.
Attacker value #
Attackers gain direct access to intensely personal visual data such as breastfeeding and diaper changes (as these devices tend to be marketed as baby monitor solutions), without needing account takeover or active session control. The absence of expiration means collected URLs can be replayed later for ongoing privacy violations.
This issue compounds impact from CVE-2026-33356, where image URLs are exposed in broker traffic, and from CVE-2026-33361, where related baby-monitor image formats can be trivially decoded.
Credit #
These issues were discovered, documented, and disclosed by Sammy Azdoufal. CVE coordination was performed by Tod Beardsley of runZero, Inc.
Timeline #
2026-03-11: Issues identified by the researcher, reviewed by runZero, and disclosed to vendor
2026-04-03: Opened VINCE Case VU#579666 with CISA for tracking
2026-April/May: Email comms between the vendor and the researcher, throughout April and May
2026-04-28: Researcher and runZero refined findings
2026-05-06: Confirmed findings and disclosure process with The Verge
2026-05-11: Public disclosure of CVE-2026-33356
