Description
A vulnerability was found in EMQ EMQX Enterprise up to 6.1.0. The impacted element is an unknown function of the component Session Handling. The manipulation results in improper authorization. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Authorization
Action: Assess Impact
AI Analysis

Impact

A flaw exists within an undisclosed function of EMQ EMQX Enterprise’s Session Handling component that allows attackers to bypass normal authorization controls. The remote nature of the exploit means an attacker can potentially hijack or forge a session without any local interaction, leading to unauthorized access to the broker and its connected clients.

Affected Systems

EMQ EMQX Enterprise versions up to and including 6.1.0 are affected. The vulnerability applies to all deployments using those releases, regardless of geographic location or environment.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is currently unavailable, and the issue has not been added to the CISA KEV list. Attackers can exploit the flaw remotely, but no public exploit code is confirmed beyond the discovery references. In the absence of a vendor patch, the risk remains moderate until remedial action is taken.

Generated by OpenCVE AI on April 19, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EMQX Enterprise to a version newer than 6.1.0 once the vendor releases a fix.
  • Restrict access to EMQX Enterprise’s management and session interfaces to trusted networks or VPNs, blocking exposure to the public internet.
  • Enforce strict role‑based authentication and review session policies to limit the ability of compromised accounts to perform privileged actions.

Generated by OpenCVE AI on April 19, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 19 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in EMQ EMQX Enterprise up to 6.1.0. The impacted element is an unknown function of the component Session Handling. The manipulation results in improper authorization. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title EMQ EMQX Enterprise Session Handling improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-19T09:30:15.159Z

Reserved: 2026-04-18T16:06:43.207Z

Link: CVE-2026-6564

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-19T10:16:08.457

Modified: 2026-04-19T10:16:08.457

Link: CVE-2026-6564

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-19T11:30:15Z

Weaknesses