CVE-2026-33357

Name of the Vulnerable Software and Affected Versions CloudEdge version 5.5.0 build 220 Arenti version 1.8.1 build 220 Meari-based white-label applications versions 1.8.x and earlier

Description Meari client applications embedding "com.meari.sdk" contain a server-side authorization failure. An attacker can abuse the integrated call path to 'openapi-euce.mearicloud.com' to retrieve the WAN IP address of arbitrary devices using their serial number. This is possible because the 'GET /openapi/device/status' endpoint does not require user authentication and utilizes a hardcoded signing key present in all public Meari-based applications. This issue is an Insecure Direct Object Reference (IDOR), which occurs when an application provides direct access to objects based on user-supplied input.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.