🚀 runZero 4.9 is here: Map the unmappable. Secure every path. More
runZero CAASM

On This Page:

  1. Executive summary
  2. Technical details
  3. Attacker value
  4. Credit
  5. Timeline

Meari MQTT broker missing per-device subscribe ACL

todb
|
Updated
Vendors Meari
Products
Meari IoT Cloud MQTT Broker EMQX 4.x
  • Meari IoT Cloud MQTT Broker EMQX 4.x
Related

Executive summary #

In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x (latest observed in this disclosure), any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization at per-device scope.

The issue breaks tenant isolation for read access and exposes platform-wide device events, including alert metadata and links to camera artifacts, across unrelated customer accounts.

This is an instance of CWE-639: Authorization Bypass Through User-Controlled Key, and has an estimated CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (7.7 High).

Technical details #

Further technical details can be found at the original disclosure, Nobody Puts Baby In A Corner.

Attacker value #

This issue provides immediate at-scale surveillance value: an attacker with only a normal cloud account can ingest platform-wide event streams and continuously collect sensitive household telemetry. The attack is low-friction and does not require ownership of target devices.

This CVE is a high-value pivot point for chaining. Data harvested here (device identifiers and image URLs) directly enables follow-on abuse in CVE-2026-33357 and CVE-2026-33359, amplifying both precision targeting and privacy impact.

Credit #

These issues were discovered, documented, and disclosed by Sammy Azdoufal. CVE coordination was performed by Tod Beardsley of runZero, Inc.

Timeline #

2026-03-11: Issues identified by the researcher, reviewed by runZero, and disclosed to vendor

2026-04-03: Opened VINCE Case VU#579666 with CISA for tracking

2026-April/May: Email comms between the vendor and the researcher, throughout April and May

2026-04-28: Researcher and runZero refined findings

2026-05-06: Confirmed findings and disclosure process with The Verge

2026-05-11: Public disclosure of CVE-2026-33356

Written by todb

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government, and a seasonal Travis County Election Judge in Texas. He's also a founder and CNA point of contact for AHA!. Tod spends much of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern ICS/OT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as the US Government, Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member, has authored several research papers, and is an internationally-tolerated horror fiction expert.

More about todb
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

runZero CAASM
© Copyright 2026 runZero, Inc. All Rights Reserved