CVE-2026-8741 Overview
CVE-2026-8741 is a race condition vulnerability in EMQX, an open-source Message Queuing Telemetry Transport (MQTT) broker, affecting versions up to 6.2.0. The flaw resides in the QoS 2 PUBLISH packet handler implemented in apps/emqx/src/emqx_persistent_session_ds.erl. Concurrent handling of QoS 2 PUBLISH packets in persistent sessions can lead to message duplication. The issue is classified under [CWE-362] (Concurrent Execution using Shared Resource with Improper Synchronization). The vendor was contacted prior to public disclosure, and a proof-of-concept has been published. Exploitation requires authenticated network access and is reported as difficult due to high attack complexity.
Critical Impact
Authenticated remote clients may trigger duplication of QoS 2 messages in persistent sessions, undermining MQTT delivery semantics for downstream consumers.
Affected Products
- EMQX versions up to and including 6.2.0
- Deployments using persistent sessions (Durable Sessions / emqx_persistent_session_ds)
- MQTT clients communicating with EMQX using QoS 2 PUBLISH packets
Discovery Timeline
- 2026-05-17 - CVE-2026-8741 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-8741
Vulnerability Analysis
The defect is a race condition in EMQX's persistent session subsystem, specifically in the QoS 2 PUBLISH packet handler within emqx_persistent_session_ds.erl. MQTT QoS 2 guarantees exactly-once delivery through a four-step handshake (PUBLISH, PUBREC, PUBREL, PUBCOMP). The persistent session module tracks in-flight packet identifiers to deduplicate retransmissions. When concurrent packet handling interleaves with session state updates, the deduplication check and the state commit are not performed atomically. As documented in the public analysis on MQTT Duplication, this allows the same logical message to be processed and delivered more than once to subscribers.
Root Cause
The root cause is improper synchronization of shared session state between concurrent processes handling QoS 2 packets in durable sessions. The check-then-act sequence on the in-flight packet identifier set is not protected as a single atomic operation, breaking the exactly-once guarantee that QoS 2 is intended to provide.
Attack Vector
Exploitation requires an authenticated MQTT client with low privileges and network reachability to the broker. The client must issue QoS 2 PUBLISH packets to a persistent session in a manner that wins the race window between the deduplication check and the session state commit. Successful exploitation does not affect confidentiality or integrity of broker data, but produces duplicated message delivery, impacting availability and correctness for QoS 2 consumers. The proof-of-concept is published in the GitHub PoC Repository; no synthetic code is reproduced here.
Detection Methods for CVE-2026-8741
Indicators of Compromise
- Duplicate QoS 2 message receipts on subscribers despite single PUBLISH from the producer.
- Anomalous bursts of PUBLISH / PUBREL packets from a single client toward persistent session topics.
- Inconsistencies between broker-side message counters and subscriber-side received message counts.
Detection Strategies
- Inspect EMQX broker logs for repeated processing of identical packet identifiers within the same session lifecycle.
- Correlate MQTT message IDs across producer, broker, and consumer telemetry to identify duplication.
- Monitor EMQX metrics messages.qos2.received and messages.delivered for divergence under persistent session workloads.
Monitoring Recommendations
- Enable detailed MQTT packet tracing on brokers running EMQX versions at or below 6.2.0.
- Stream broker telemetry into a centralized analytics platform to baseline expected QoS 2 traffic and detect anomalies.
- Track authenticated client behavior for unusual concurrency patterns against the same persistent session.
How to Mitigate CVE-2026-8741
Immediate Actions Required
- Inventory EMQX deployments and identify any broker running version 6.2.0 or earlier with persistent sessions enabled.
- Restrict QoS 2 PUBLISH permissions through EMQX Access Control Lists to trusted clients only.
- Apply the vendor's fixed release once published and validate persistent session behavior in a staging environment.
Patch Information
No specific patched version is referenced in the NVD entry at time of publication. Consult the GitHub Analysis on MQTT Duplication and the VulDB Vulnerability Report #364329 for status updates, and track upstream EMQX release notes for fixes to emqx_persistent_session_ds.erl.
Workarounds
- Downgrade affected MQTT topics or clients from QoS 2 to QoS 1 where exactly-once semantics are not strictly required, accepting at-least-once delivery.
- Disable persistent (durable) sessions for clients that do not require session continuity across reconnects.
- Implement application-layer idempotency on subscribers so duplicated QoS 2 deliveries do not cause downstream side effects.
# Example: restrict QoS 2 PUBLISH via EMQX ACL (emqx.conf / acl.conf)
# Allow only specific authenticated clients to publish QoS 2 messages
{allow, {username, "trusted_publisher"}, publish, ["sensors/#"]}.
{deny, all, publish, ["#"]}.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
