CVE-2026-33356

HIGH 7.7

Meari MQTT broker missing per-device subscribe ACL

CVSS Score

7.7

EPSS Score

0.0%

EPSS Percentile

0th

In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope.

CWE	CWE-639
Vendor	meari
Product	iot cloud mqtt broker emqx
Published	May 11, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for meari iot cloud mqtt broker emqx

Be the first to know when new high vulnerabilities affecting meari iot cloud mqtt broker emqx are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Meari / IoT Cloud MQTT Broker EMQX

4.x

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/xn0tsa/nobody-puts-baby-in-a-corner runzero.com: https://www.runzero.com/advisories/meari-mqtt-broker-missing-per-device-subscribe-acl-cve-2026-33356/

Credits

Sammy Azdoufal Tod Beardsley of runZero, Inc.