Parents who rely on Meari-branded baby monitors to watch over their children now face a disturbing reality: security researchers have identified a chain of flaws that could let strangers intercept live video feeds and stored alert images. Three separate vulnerabilities tied to these devices have been formally catalogued by the National Vulnerability Database, the federal registry operated by NIST. The flaws span an MQTT authorization bypass, hardcoded cryptographic keys, and a weak image-obfuscation scheme, each tracked under its own CVE identifier. No public statement from the device maker addresses patch timelines or the scope of affected units.
Why these Meari monitor flaws demand immediate attention
The core danger is straightforward. An attacker who exploits the MQTT authorization issue, catalogued as CVE-2026-33356, can subscribe to message topics on the broker without proper credentials. MQTT is a lightweight messaging protocol widely used in Internet of Things devices to relay commands and sensor data between a cloud server and a home gadget. When the broker fails to enforce topic-level permissions, any authenticated client on the same service can read messages meant for someone else’s camera, including video stream metadata and control signals.
The second flaw, tracked as CVE-2026-33362, involves hardcoded encryption keys embedded in the device firmware. Hardcoded keys mean every unit ships with the same secret material, so extracting the key from one monitor hands an attacker the ability to decrypt traffic from any other device in the product line. The NVD entry for CVE-2026-33362 references the original researcher write-up that documents this weakness and illustrates how a single shared key undermines the confidentiality of all captured data.
The third vulnerability, CVE-2026-33361, targets the way Meari monitors store alert snapshots. Instead of using standard encryption, the devices apply a trivial obfuscation layer that appends a .jpgx3 extension and uses a reversible decode routine. Anyone who intercepts these files can reconstruct them into ordinary JPEG images viewable on any computer. The practical result: motion-triggered photos of sleeping infants, nursery interiors, and household activity become accessible to unauthorized parties if they can reach the storage location or intercept traffic.
Taken together, the three CVEs create a kill chain. An attacker can locate exposed brokers, authenticate or interact using material tied to hardcoded keys, subscribe to another household’s MQTT topics, and decode the resulting image files. Each step is individually simple, and the combination lowers the skill threshold for exploitation significantly. For families who assume that baby monitors are closed, home-only systems, the idea that strangers could quietly siphon images or metadata from afar is especially unsettling.
How NIST records and researcher reports anchor the findings
All three vulnerabilities carry formal entries in the National Vulnerability Database, the authoritative U.S. government registry that catalogs software and hardware security flaws. NIST operates the NVD as part of its broader role in developing cybersecurity standards and guidance. Each CVE entry follows a standardized format that includes a description, a Common Vulnerability Scoring System (CVSS) rating, affected products, and reference links to external advisories or technical analyses.
The NVD pages for CVE-2026-33356 and CVE-2026-33362 both reference a runZero advisory and a researcher GitHub repository as their primary technical sources. The entry for CVE-2026-33361 similarly points to the researcher report that details the .jpgx3 decode weakness and demonstrates how the obfuscation can be reversed with minimal effort. These cross-references allow other security teams to reproduce the findings independently, and they signal that the flaws have passed editorial review at the NVD before publication.
Federal risk-management frameworks add another layer of relevance. The configuration enumeration program helps organizations map specific system settings and weaknesses to standardized identifiers, making it easier to track where insecure defaults or poor cryptographic practices appear. In parallel, the SP 800-53 security controls catalog, accessible through NIST’s risk-management portal, provides the baseline requirements federal agencies and many private-sector organizations use to evaluate whether connected devices meet expectations for access control, encryption, and monitoring.
Devices carrying known, unpatched CVEs of this nature would run afoul of multiple control families, including those governing account management, key protection, and the safeguarding of personally identifiable information. A baby monitor that allows unauthorized subscription to message topics, relies on hardcoded keys, and uses reversible image obfuscation would not satisfy typical federal or enterprise procurement checklists that reference these standards.
The hypothesis that other devices sharing the same third-party MQTT stack will produce additional authorization CVEs once researchers apply internet-scale scanning is grounded in a pattern visible across IoT disclosures. MQTT brokers are frequently deployed as white-label components, meaning the same vulnerable code can appear in cameras, doorbells, and sensors sold under entirely different brand names. If the authorization logic flaw in CVE-2026-33356 originates in a shared library rather than in Meari-specific firmware, scanning other product families that use the same broker software could surface similar bypasses over time.
Gaps in the public record and what owners should watch for
Several questions remain open. The headline figure of “more than a million” affected devices circulates in researcher commentary, but no NVD entry or official NIST publication supplies the methodology behind that estimate. The number may derive from internet-wide scans of exposed MQTT brokers or from app-download statistics, yet without a documented counting method, it should be treated as an informed approximation rather than a confirmed census of vulnerable monitors.
There is also no publicly documented firmware version matrix that spells out which specific Meari models and software builds are affected by each CVE. That absence complicates risk assessments for both individual households and organizations that may have purchased these monitors in bulk. Without a vendor advisory that maps model numbers to vulnerability status, owners are left to infer exposure from indirect clues such as production dates, app behavior, or third-party teardown reports.
For now, there is no clear evidence in the public record that patches have been broadly deployed or that automatic updates have closed the MQTT authorization gap, rotated hardcoded keys, or replaced the weak image-obfuscation scheme with proper encryption. The lack of a manufacturer bulletin outlining remediation steps, timelines, and residual risks stands out against the detailed technical documentation available from independent researchers and the NVD.
In this vacuum, owners of Meari-based baby monitors can take several pragmatic steps to reduce potential exposure while awaiting definitive vendor guidance. Isolating the camera on a separate home network or guest Wi-Fi segment limits how far an intruder could move laterally if they compromise the device. Disabling remote access features in the companion app, where possible, reduces reliance on cloud brokers that may be susceptible to the authorization flaw. Regularly checking for firmware updates and applying them promptly is essential, even if release notes are sparse.
Organizations with formal security programs should inventory any deployed baby monitors or similar IoT cameras and cross-reference them against known CVEs in the National Vulnerability Database. Aligning asset management with standardized identifiers from the NIST checklist program can make it easier to track which systems inherit risk from shared components like MQTT brokers or cryptographic libraries. Where policy allows, replacing vulnerable models with devices that offer transparent security documentation and timely patching may be the most straightforward mitigation.
Ultimately, the Meari case underscores a broader lesson for consumer and enterprise buyers alike: seemingly simple household gadgets can embody complex cloud architectures and third-party code, and weaknesses anywhere in that chain can have real-world privacy consequences. Until manufacturers consistently pair connected features with robust security engineering and clear public communication, families and organizations will need to lean on independent research, standardized vulnerability databases, and cautious network design to keep the most sensitive spaces in their homes and workplaces from becoming inadvertent windows to the outside world.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.