Remote Denial of Service in FlashMQ MQTT Broker
CVE-2026-42209

6.5MEDIUM

Key Information:

Vendor

Halfgaar

Status
FlashMQ
Vendor
CVE Published:
8 May 2026

What is CVE-2026-42209?

A vulnerability exists in FlashMQ, an MQTT broker/server designed for multi-CPU environments, where prior to version 1.26.1, it can be subjected to a denial of service. This occurs when a remote client with retained publish permission triggers the broker to crash by setting both the 'set_retained_message_defer_timeout' and 'set_retained_message_defer_timeout_spread' to non-default values. If anonymous retained publishing is enabled, the attacker can exploit this without authentication; otherwise, they need the necessary publish permissions. This vulnerability has been addressed in version 1.26.1.

Affected Version(s)

FlashMQ < 1.26.1

References

https://github.com/halfgaar/FlashMQ/security/advisories/G...
x_refsource_CONFIRM
https://github.com/halfgaar/FlashMQ/issues/167
x_refsource_MISC
https://github.com/halfgaar/FlashMQ/commit/193b6e77678895...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.