Description
In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope.
Published: 2026-05-11
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Meari IoT Cloud MQTT Broker, which runs EMQX 4.x. It allows any authenticated user with low privileges to subscribe to global wildcard topics. Because the broker enforces publishing restrictions but fails to enforce corresponding subscription restrictions for each device, an attacker can receive telemetry data from devices beyond their ownership. This represents a confidentiality breach: the attacker gains unintended access to sensitive device data without requiring elevated rights.

Affected Systems

The affected product is the Meari IoT Cloud MQTT Broker built on EMQX 4.x. No specific version numbers are listed beyond the major EMQX 4.x series, so all deployments of that branch are potentially impacted. Users of Meari’s cloud services who rely on EMQX for MQTT messaging should confirm whether they run the 4.x branch and whether per-device ACL restrictions are in place.

Risk and Exploitability

With a CVSS score of 7.7, the vulnerability is considered high severity. The EPSS is not available, so the exploitation probability is unknown, but the issue is not catalogued in CISA KEV, indicating no confirmed public exploitation yet. The likely attack vector involves an authenticated low‑privilege user performing a simple MQTT SUBSCRIBE command with a wildcard topic. If the broker’s ACL configuration does not restrict such subscriptions, the attacker will receive all telemetry data for all devices, providing a clear pathway to data breach without needing additional access or credentials.

Generated by OpenCVE AI on May 11, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for the Meari IoT Cloud MQTT Broker when it becomes available.
  • Reconfigure the EMQX broker to enforce per‑device subscribe ACLs or disable global wildcard subscriptions for non‑administrative users.
  • Monitor MQTT subscription logs for unauthorized wildcard subscribes and block offending accounts if necessary.

Generated by OpenCVE AI on May 11, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Meari
Meari iot Cloud Mqtt Broker Emqx
Vendors & Products Meari
Meari iot Cloud Mqtt Broker Emqx

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope.
Title Meari MQTT broker missing per-device subscribe ACL
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Meari Iot Cloud Mqtt Broker Emqx
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-05-11T18:18:45.410Z

Reserved: 2026-03-19T00:27:05.986Z

Link: CVE-2026-33356

cve-icon Vulnrichment

Updated: 2026-05-11T18:18:42.323Z

cve-icon NVD

Status : Received

Published: 2026-05-11T17:16:30.590

Modified: 2026-05-11T17:16:30.590

Link: CVE-2026-33356

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:23:02Z

Weaknesses