Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope.
AnalysisAI
Authenticated low-privilege users can subscribe to global wildcard topics in Meari IoT Cloud MQTT Broker (EMQX 4.x), receiving telemetry from devices they do not own. While publish restrictions are enforced, subscribe authorization lacks per-device scope controls, enabling cross-tenant data exposure in multi-tenant IoT deployments. Publicly available exploit code exists (GitHub repository confirmed by runZero advisory). EPSS and KEV status not available, but CVE assigned in 2026 suggests recent disclosure with active researcher attention.
Technical ContextAI
EMQX is an open-source MQTT broker used for IoT device messaging. MQTT topic subscription uses hierarchical patterns with wildcard support (
for multi-level, + for single-level). The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the broker validates publish ACLs but fails to enforce equivalent per-device or per-tenant subscribe authorization. In multi-tenant IoT cloud deployments, authenticated users can subscribe to topics like 'devices/#' or 'telemetry/+' to receive messages from devices outside their assigned scope. The CVSS Scope:Changed metric reflects cross-tenant impact - attackers can access resources beyond their authorization boundary. EMQX 4.x series is affected per CPE data; the broker's ACL plugin architecture supports custom authorization rules, but Meari's deployment misconfigured or omitted subscribe-side ACLs.
RemediationAI
Primary mitigation is to implement per-device or per-tenant subscribe ACLs in the EMQX broker configuration using EMQX's ACL plugin system or external authentication hooks. Meari/vendor should configure ACL rules to restrict subscription patterns based on authenticated user identity, limiting subscriptions to topics matching user-owned device IDs (e.g., allow 'devices/{user_id}/#' only). Exact patch version not confirmed in available data; organizations should check https://www.runzero.com/advisories/meari-mqtt-broker-missing-per-device-subscribe-acl-cve-2026-33356/ for vendor-released configuration guidance or EMQX updates. Compensating controls if patch unavailable: (1) Deploy MQTT proxy with subscribe-side authorization (e.g., VerneMQ, HiveMQ with enhanced ACLs) in front of EMQX - adds latency and operational complexity. (2) Implement application-layer topic filtering where each client connection receives a unique, non-guessable topic prefix - requires device firmware updates and breaks wildcard subscription patterns legitimate users may need. (3) Network segmentation to isolate high-value device telemetry onto separate broker instances per customer - increases infrastructure cost and management overhead. Monitor MQTT broker logs for unusual wildcard subscription attempts (topics containing
or + from low-privilege accounts) as detection measure.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29102
GHSA-2vfr-ch7v-7754