CVE-2026-33356

Name of the Vulnerable Software and Affected Versions EMQX versions 4.x

Description In Meari IoT Cloud MQTT Broker deployments, an authenticated low-privilege account can subscribe to global wildcard topics, such as meari/#, allowing the user to receive telemetry from devices they do not own. While the broker enforces publish Access Control Lists (ACLs), it fails to enforce equivalent subscribe authorization at the per-device scope. In a real-world test on a single broker, this allowed the capture of 14,204 messages from 2,117 devices.

Recommendations Update EMQX versions 4.x to a version where subscribe authorization is properly enforced at the per-device scope.