Skip to main content

Meari IoT Cloud MQTT Broker CVE-2026-33356

| EUVDEUVD-2026-29102 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-11 runZero GHSA-2vfr-ch7v-7754
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 11, 2026 - 16:45 vuln.today
CVE Published
May 11, 2026 - 16:02 nvd
HIGH 7.7

DescriptionCVE.org

In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope.

AnalysisAI

Authenticated low-privilege users can subscribe to global wildcard topics in Meari IoT Cloud MQTT Broker (EMQX 4.x), receiving telemetry from devices they do not own. While publish restrictions are enforced, subscribe authorization lacks per-device scope controls, enabling cross-tenant data exposure in multi-tenant IoT deployments. Publicly available exploit code exists (GitHub repository confirmed by runZero advisory). EPSS and KEV status not available, but CVE assigned in 2026 suggests recent disclosure with active researcher attention.

Technical ContextAI

EMQX is an open-source MQTT broker used for IoT device messaging. MQTT topic subscription uses hierarchical patterns with wildcard support (

for multi-level, + for single-level). The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the broker validates publish ACLs but fails to enforce equivalent per-device or per-tenant subscribe authorization. In multi-tenant IoT cloud deployments, authenticated users can subscribe to topics like 'devices/#' or 'telemetry/+' to receive messages from devices outside their assigned scope. The CVSS Scope:Changed metric reflects cross-tenant impact - attackers can access resources beyond their authorization boundary. EMQX 4.x series is affected per CPE data; the broker's ACL plugin architecture supports custom authorization rules, but Meari's deployment misconfigured or omitted subscribe-side ACLs.

RemediationAI

Primary mitigation is to implement per-device or per-tenant subscribe ACLs in the EMQX broker configuration using EMQX's ACL plugin system or external authentication hooks. Meari/vendor should configure ACL rules to restrict subscription patterns based on authenticated user identity, limiting subscriptions to topics matching user-owned device IDs (e.g., allow 'devices/{user_id}/#' only). Exact patch version not confirmed in available data; organizations should check https://www.runzero.com/advisories/meari-mqtt-broker-missing-per-device-subscribe-acl-cve-2026-33356/ for vendor-released configuration guidance or EMQX updates. Compensating controls if patch unavailable: (1) Deploy MQTT proxy with subscribe-side authorization (e.g., VerneMQ, HiveMQ with enhanced ACLs) in front of EMQX - adds latency and operational complexity. (2) Implement application-layer topic filtering where each client connection receives a unique, non-guessable topic prefix - requires device firmware updates and breaks wildcard subscription patterns legitimate users may need. (3) Network segmentation to isolate high-value device telemetry onto separate broker instances per customer - increases infrastructure cost and management overhead. Monitor MQTT broker logs for unusual wildcard subscription attempts (topics containing

or + from low-privilege accounts) as detection measure.

Share

CVE-2026-33356 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy