CVE-2026-33356 | THREATINT

Description

In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope.

PUBLISHED Reserved 2026-03-19 | Published 2026-05-11 | Updated 2026-05-11 | Assigner runZero

HIGH: 7.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status

unaffected

4.x (custom)

affected

Credits

Sammy Azdoufal finder

Tod Beardsley of runZero, Inc. coordinator

References

github.com/xn0tsa/nobody-puts-baby-in-a-corner technical-description

www.runzero.com/...-per-device-subscribe-acl-cve-2026-33356/ third-party-advisory

cve.org (CVE-2026-33356)

nvd.nist.gov (CVE-2026-33356)

Download JSON