CVE-2026-33356 Overview
CVE-2026-33356 is a broken access control vulnerability affecting Meari IoT Cloud MQTT Broker deployments running EMQX 4.x. The broker enforces publish restrictions but fails to apply equivalent subscribe authorization at per-device scope. Any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own.
The weakness is tracked as CWE-639: Authorization Bypass Through User-Controlled Key. It allows cross-tenant data exposure across the IoT cloud platform without requiring elevated privileges.
Critical Impact
Authenticated attackers can harvest telemetry from any device on the platform by subscribing to wildcard MQTT topics, exposing camera streams, sensor data, and other private IoT signals.
Affected Products
- Meari IoT Cloud MQTT Broker deployments
- EMQX 4.x broker as deployed by Meari
- Connected Meari-branded and OEM IoT devices publishing to the broker
Discovery Timeline
- 2026-05-11 - CVE-2026-33356 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-33356
Vulnerability Analysis
Meari operates an MQTT broker based on EMQX 4.x to relay messages between IoT devices and cloud services. MQTT uses a publish-subscribe model in which clients subscribe to topic filters, often containing wildcards such as + and #. The broker is responsible for enforcing Access Control Lists (ACLs) that determine which topics each client can publish to or subscribe to.
In this deployment, the broker enforces ACLs on publish operations to prevent clients from spoofing messages on behalf of other devices. However, the broker does not enforce equivalent per-device scope on subscribe operations. An authenticated low-privilege account can issue a subscribe request using a wildcard topic filter and receive telemetry streams belonging to unrelated tenants.
The vulnerability is network-reachable and requires only a valid low-privilege account. Confidentiality impact is high, with the scope extending beyond the attacker's own authorization boundary into other tenants.
Root Cause
The root cause is asymmetric ACL enforcement in the broker configuration. Publish ACLs are bound to the authenticated client identity and per-device topic structure, while subscribe ACLs are either missing or permit broad wildcard matches. This authorization gap maps directly to CWE-639, where access decisions rely on a user-controlled key (the topic filter) without validating ownership of the underlying resource.
Attack Vector
An attacker registers or compromises any low-privilege account on the Meari IoT Cloud platform. The attacker then connects to the MQTT broker using standard client libraries and issues a SUBSCRIBE packet with a wildcard filter such as # or device/+/telemetry. The broker accepts the subscription and forwards every matching message published by other devices to the attacker. No additional exploitation primitives are required. Public proof-of-concept material is available in the GitHub PoC repository and the RunZero security advisory.
Detection Methods for CVE-2026-33356
Indicators of Compromise
- MQTT SUBSCRIBE packets containing wildcard filters (#, +/#, or top-level prefixes) originating from non-administrative client IDs.
- Client sessions receiving telemetry volumes far exceeding the number of devices linked to the associated account.
- Connections from cloud or hosting provider IP ranges authenticating with consumer-tier credentials.
Detection Strategies
- Enable EMQX broker logging for SUBSCRIBE events and parse the topic filter field for wildcard usage by non-service accounts.
- Correlate authenticated user identity with the set of device IDs in subscribed topics, alerting when these do not match.
- Baseline normal subscribe patterns per account tier and flag deviations such as broad topic prefixes.
Monitoring Recommendations
- Forward EMQX emqx.log and ACL decision logs to a centralized analytics platform for retention and search.
- Monitor outbound traffic volumes per MQTT session and alert on sustained high-rate message delivery to a single subscriber.
- Audit account provisioning for newly created low-privilege accounts that immediately establish MQTT subscriptions.
How to Mitigate CVE-2026-33356
Immediate Actions Required
- Deploy an EMQX ACL policy that binds subscribe permissions to topics containing the authenticated client's owned device identifiers.
- Reject SUBSCRIBE requests containing # or top-level + wildcards from all non-service principals.
- Rotate credentials for any low-privilege account showing wildcard subscribe activity in historical logs.
Patch Information
No vendor patch is referenced in the NVD record at the time of publication. Operators should consult the RunZero security advisory for the latest remediation guidance and apply broker-level ACL hardening until a fix is issued by Meari.
Workarounds
- Configure EMQX acl.conf to deny subscribe by default and explicitly allow only per-device topic patterns scoped to the authenticated clientid or username.
- Disable anonymous and self-registration flows on the broker, or isolate self-registered accounts on a separate listener with restrictive ACLs.
- Place the broker behind an authentication proxy that validates device ownership before forwarding SUBSCRIBE packets.
# EMQX 4.x acl.conf example: deny wildcard subscribes, allow per-device only
{deny, all, subscribe, ["#", "+/#", "$SYS/#"]}.
{allow, {user, "%u"}, subscribe, ["device/%u/+", "device/%u/telemetry"]}.
{deny, all}.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
