CVE-2026-33356 PUBLISHED

Meari MQTT broker missing per-device subscribe ACL

Assigner: runZero
Reserved: 19.03.2026 Published: 11.05.2026 Updated: 11.05.2026

In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVSS Score: 7.7

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Meari
Product	IoT Cloud MQTT Broker EMQX
Versions	Default: unaffected Version 4.x is affected

Credits

Sammy Azdoufal finder
Tod Beardsley of runZero, Inc. coordinator

References

Problem Types

CWE-639 Authorization Bypass Through User-Controlled Key CWE