Subscribe Authorization Flaw in Meari IoT Cloud MQTT Broker Affects EMQX 4.x
CVE-2026-33356

7.7HIGH

Key Information:

Vendor: Meari
Status: Iot Cloud MQtt Broker EMQx
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-33356?

A flaw in the Meari IoT Cloud MQTT Broker, specifically in EMQX version 4.x, allows authenticated low-privilege accounts to subscribe to global wildcard topics. This can result in those accounts receiving telemetry data from devices they do not own. While the broker does enforce restrictions on publishing, it lacks equivalent authorization controls when subscribing to topics on a per-device basis, potentially exposing sensitive information.

Affected Version(s)

IoT Cloud MQTT Broker EMQX 4.x

References

https://github.com/xn0tsa/nobody-puts-baby-in-a-corner

technical-description

https://www.runzero.com/advisories/meari-mqtt-broker-miss...

third-party-advisory

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Mar 19, 2026

Credit

Sammy Azdoufal

Tod Beardsley of runZero, Inc.

CVE-2026-33356 Data

JSON