CVE-2026-33362

Name of the Vulnerable Software and Affected Versions CloudEdge version 5.5.0 (build 220) Arenti version 1.8.1 (build 220) White-label Android apps versions 1.x and earlier

Description Meari IoT SDK builds contain multiple security-critical secrets that are hardcoded and shared across the ecosystem. These include API signing material, password-transport keying, and service access keys. Specifically, every Meari-based app utilizes the same HMAC secret (a key used for Hash-based Message Authentication Codes to verify data integrity), the same DES key (Data Encryption Standard) for passwords, the same OpenAPI key, and the same P2P password. These keys cannot be rotated without re-flashing every device in the field.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.