{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33356", "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914", "state": "PUBLISHED", "assignerShortName": "runZero", "dateReserved": "2026-03-19T00:27:05.986Z", "datePublished": "2026-05-11T16:02:14.046Z", "dateUpdated": "2026-05-11T18:18:45.410Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "44488dab-36db-4358-99f9-bc116477f914", "shortName": "runZero", "dateUpdated": "2026-05-11T16:02:14.046Z"}, "title": "Meari MQTT broker missing per-device subscribe ACL", "datePublic": "2026-05-11T16:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "affected": [{"vendor": "Meari", "product": "IoT Cloud MQTT Broker EMQX", "versions": [{"status": "affected", "version": "4.x", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope."}]}], "references": [{"url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner", "tags": ["technical-description"]}, {"url": "https://www.runzero.com/advisories/meari-mqtt-broker-missing-per-device-subscribe-acl-cve-2026-33356/", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"}}], "credits": [{"lang": "en", "value": "Sammy Azdoufal", "type": "finder"}, {"lang": "en", "value": "Tod Beardsley of runZero, Inc.", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-11T18:18:36.704517Z", "id": "CVE-2026-33356", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-11T18:18:45.410Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33356", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-11T18:18:36.704517Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-11T18:18:42.323Z"}}], "cna": {"title": "Meari MQTT broker missing per-device subscribe ACL", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Sammy Azdoufal"}, {"lang": "en", "type": "coordinator", "value": "Tod Beardsley of runZero, Inc."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Meari", "product": "IoT Cloud MQTT Broker EMQX", "versions": [{"status": "affected", "version": "4.x", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-05-11T16:00:00.000Z", "references": [{"url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner", "tags": ["technical-description"]}, {"url": "https://www.runzero.com/advisories/meari-mqtt-broker-missing-per-device-subscribe-acl-cve-2026-33356/", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope.", "supportingMedia": [{"type": "text/html", "value": "In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "44488dab-36db-4358-99f9-bc116477f914", "shortName": "runZero", "dateUpdated": "2026-05-11T16:02:14.046Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33356", "state": "PUBLISHED", "dateUpdated": "2026-05-11T18:18:45.410Z", "dateReserved": "2026-03-19T00:27:05.986Z", "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914", "datePublished": "2026-05-11T16:02:14.046Z", "assignerShortName": "runZero"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope."}], "id": "CVE-2026-33356", "lastModified": "2026-05-11T17:16:30.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "44488dab-36db-4358-99f9-bc116477f914", "type": "Secondary"}]}, "published": "2026-05-11T17:16:30.590", "references": [{"source": "44488dab-36db-4358-99f9-bc116477f914", "url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"}, {"source": "44488dab-36db-4358-99f9-bc116477f914", "url": "https://www.runzero.com/advisories/meari-mqtt-broker-missing-per-device-subscribe-acl-cve-2026-33356/"}], "sourceIdentifier": "44488dab-36db-4358-99f9-bc116477f914", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "44488dab-36db-4358-99f9-bc116477f914", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.x"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "IoT Cloud MQTT Broker EMQX", "source": "cna", "vendor": "Meari"}, "product": "iot_cloud_mqtt_broker_emqx", "vendor": "meari"}], "created": "2026-05-11T17:45:26.335642+00:00", "updated": "2026-05-12T09:23:02.168455+00:00", "vendors": ["meari", "meari$PRODUCT$iot_cloud_mqtt_broker_emqx"]}