Description
A vulnerability has been found in EMQX up to 6.2.0. This affects an unknown function of the file apps/emqx/src/emqx_persistent_session_ds.erl of the component QoS 2 PUBLISH Packet Handler. Such manipulation leads to race condition. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is reported as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure.
Published: 2026-05-17
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition exists in EMQX's QoS 2 PUBLISH packet handling module, where a specific function in emqx_persistent_session_ds.erl can be manipulated to execute concurrently in an unexpected order. This flaw can result in duplicate processing of messages, state corruption, or inconsistent session handling, and is categorized under CWE‑362. The vulnerability is exploitable from remote connections and requires significant effort to trigger successfully, reflected in a high complexity and difficult exploitability rating.

Affected Systems

EMQX, all versions up to and including 6.2.0 are affected. Users of the EMQX MQTT broker should verify that their deployment is not running a vulnerable version and plan to upgrade beyond 6.2.0.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and the publicly disclosed exploit is considered difficult, with no current evidence of widespread use. Attackers could remotely craft QoS 2 PUBLISH packets to trigger the race, but the exploit is not trivial and has not been weaponized in known campaigns. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 17, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EMQX to version 6.2.1 or later where the race condition fix is included.
  • Restrict remote access to the MQTT broker by configuring firewall rules or VPN to limit who can send QoS 2 PUBLISH packets.
  • Enable authentication and TLS encryption on the broker so only authorized clients can publish messages.
  • Monitor broker logs for duplicate message patterns or abnormal state changes that may indicate race condition attempts.

Generated by OpenCVE AI on May 17, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in EMQX up to 6.2.0. This affects an unknown function of the file apps/emqx/src/emqx_persistent_session_ds.erl of the component QoS 2 PUBLISH Packet Handler. Such manipulation leads to race condition. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is reported as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure.
Title EMQX QoS 2 PUBLISH Packet emqx_persistent_session_ds.erl race condition
First Time appeared Emqx
Emqx emqx
Weaknesses CWE-362
CPEs cpe:2.3:a:emqx:emqx:*:*:*:*:*:*:*:*
Vendors & Products Emqx
Emqx emqx
References
Metrics cvssV2_0

{'score': 2.1, 'vector': 'AV:N/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Emqx Emqx
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T08:15:08.625Z

Reserved: 2026-05-16T11:19:08.422Z

Link: CVE-2026-8741

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T09:16:35.013

Modified: 2026-05-17T09:16:35.013

Link: CVE-2026-8741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T11:00:12Z

Weaknesses