Meari SDK Flaw CVE-2026-33357 Leaks WAN IP of IoT Cameras

Executive Summary

A server-side authorization failure in the Meari software development kit (SDK) — used by CloudEdge, Arenti, and numerous white-label IoT camera applications — allows any unauthenticated attacker to retrieve the public WAN IP address of any device linked to the platform. Tracked as CVE-2026-33357 with a CVSS score of 7.5 (High), the flaw resides in the GET /openapi/device/status endpoint hosted at openapi-euce.mearicloud.com. The vulnerability was disclosed by researcher xn0tsa via a GitHub advisory on 2026-05-10. No official patch or workaround has been issued by Meari as of this writing.

Technical Analysis

The Meari SDK (package com.meari.sdk) is embedded in a family of mobile applications that provide remote viewing and control of IP cameras. Affected versions include CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and all white-label applications based on SDK versions ≤ 1.8.x. These apps communicate with Meari's cloud infrastructure through the API gateway at openapi-euce.mearicloud.com.

According to xn0tsa's disclosure, the GET /openapi/device/status endpoint lacks any server-side authorization check. The endpoint accepts a device identifier and returns the device's current WAN IP address — without requiring a valid session token, API key, or proof of device ownership. An attacker who can enumerate or guess a valid device ID (a process that the researcher notes is aided by predictable ID generation patterns in the SDK) can silently map the public IP addresses of any camera fleet.

The WAN IP address is a critical piece of reconnaissance data. With it, an attacker can determine the geographic location of the camera (via IP geolocation), identify the ISP, and — if the camera or its network exposes additional services — attempt further exploitation such as brute-force attacks on default credentials or known vulnerabilities in the camera firmware. The disclosure does not indicate whether the endpoint also leaks other device metadata, but the researcher's report focuses exclusively on the IP disclosure vector.

This flaw is particularly concerning for white-label products, which often receive slower security updates than the branded CloudEdge and Arenti apps. The exact number of affected devices is unknown, but Meari's SDK is widely used in low-cost IP cameras sold under dozens of brand names across online marketplaces.

The CVE entry notes that the root cause is a missing authorization check — the server trusts that any request reaching the endpoint is legitimate. This pattern is common in IoT cloud backends that were designed with implicit trust in mobile app clients, which themselves authenticate users but do not enforce the same check server-side.

Mitigations & Recommendations

As of publication, Meari has not released a patched version of the SDK or updated the affected applications. Defenders and users should take the following steps:

• Monitor outbound traffic from camera networks to openapi-euce.mearicloud.com. Unexpected or frequent requests to the /openapi/device/status endpoint may indicate scanning activity.
• Segment IoT devices on a separate VLAN with strict egress filtering. Even if a camera's WAN IP is leaked, network segmentation limits lateral movement.
• Disable UPnP on routers used with these cameras to reduce the attack surface exposed on the WAN IP.
• Replace affected devices if the vendor does not issue a patch within a reasonable timeframe — the risk of IP enumeration combined with other camera vulnerabilities makes continued use inadvisable for security-conscious users.
• Check for firmware updates regularly, as white-label vendors may independently patch the SDK without a coordinated Meari announcement.