Iot Cloud Mqtt Broker Emqx
Monthly
Authenticated low-privilege users can subscribe to global wildcard topics in Meari IoT Cloud MQTT Broker (EMQX 4.x), receiving telemetry from devices they do not own. While publish restrictions are enforced, subscribe authorization lacks per-device scope controls, enabling cross-tenant data exposure in multi-tenant IoT deployments. Publicly available exploit code exists (GitHub repository confirmed by runZero advisory). EPSS and KEV status not available, but CVE assigned in 2026 suggests recent disclosure with active researcher attention.
Authenticated low-privilege users can subscribe to global wildcard topics in Meari IoT Cloud MQTT Broker (EMQX 4.x), receiving telemetry from devices they do not own. While publish restrictions are enforced, subscribe authorization lacks per-device scope controls, enabling cross-tenant data exposure in multi-tenant IoT deployments. Publicly available exploit code exists (GitHub repository confirmed by runZero advisory). EPSS and KEV status not available, but CVE assigned in 2026 suggests recent disclosure with active researcher attention.