CVE-2026-33356
Meari · IoT Cloud MQTT Broker (EMQX)
Meari IoT Cloud MQTT Broker deployments using EMQX 4.x contain an authorization bypass vulnerability allowing authenticated users to access data outside their intended scope.
Executive summary
An authorization bypass in Meari’s EMQX 4.x MQTT broker allows authenticated users to access unauthorized device data, leading to potential information disclosure.
Vulnerability
The broker suffers from an authorization bypass (CWE-639) where user-controlled keys are not properly validated, allowing authenticated users to subscribe to or access data streams belonging to other devices.
Business impact
The vulnerability allows for horizontal privilege escalation, where one authenticated user can access the data of another, compromising the confidentiality of the entire IoT ecosystem. With a CVSS score of 7.7, this represents a severe risk to data privacy and could result in the leakage of sensitive telemetry or user data.
Remediation
Immediate Action: Contact Meari support regarding the availability of security updates for EMQX 4.x deployments, as no fix is currently public.
Proactive Monitoring: Audit MQTT broker logs for unauthorized subscription attempts or cross-device data access patterns.
Compensating Controls: Enforce strict per-client Access Control Lists (ACLs) within the MQTT broker configuration to limit the scope of what each authenticated user can access.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Administrators must prioritize the review of MQTT broker configurations to ensure that ACLs are as restrictive as possible. Given the lack of a verified patch, isolating affected broker instances from public networks is the most effective way to limit exposure to this authorization bypass.