Executive Summary

CVE-2026-33356 is a security vulnerability in the Meari IoT Cloud MQTT Broker running on EMQX 4.x. It allows any authenticated low-privilege user to subscribe to global wildcard topics and receive telemetry data from devices they do not own.

While the broker enforces restrictions on publishing messages, it does not enforce equivalent authorization controls on subscribing to topics at the per-device level. This means users can bypass tenant isolation for read access and access telemetry, alerts, and camera data from unrelated customer devices.

The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) and has a high CVSS score of 7.7.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts by exposing sensitive telemetry and private data from devices you do not own.

• Unauthorized users can receive real-time motion alerts, device-binding events, and other sensitive information from all devices on the platform.
• It breaks tenant isolation, allowing attackers to surveil households and collect sensitive data without permission.
• The exposure includes platform-wide device events such as alert metadata and camera artifact links.
• Attackers with normal cloud accounts can exploit this vulnerability to conduct surveillance and potentially launch follow-on attacks.
• The vulnerability affects over 1.1 million registered devices globally, making the impact widespread.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring MQTT broker subscriptions for unauthorized access to global wildcard topics such as "meari/#". An authenticated low-privilege user subscribing to such wildcard topics and receiving telemetry data from devices they do not own indicates the presence of the vulnerability.

Commands to detect this might include using MQTT client tools to attempt subscribing to global wildcard topics with a low-privilege account and observing if telemetry data from unrelated devices is received.

• Use an MQTT client (e.g., mosquitto_sub) to subscribe to the wildcard topic: mosquitto_sub -h <broker_address> -t 'meari/#' -u <low_privilege_user> -P <password>
• Monitor network traffic for MQTT SUBSCRIBE packets to global wildcard topics from low-privilege accounts.
• Check broker logs for subscriptions to wildcard topics by users who should not have access to those devices.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting or disabling subscriptions to global wildcard topics for low-privilege users and implementing per-device subscribe authorization controls in the MQTT broker configuration.

Since the broker enforces publish restrictions but not subscribe restrictions, administrators should apply access control lists (ACLs) or equivalent mechanisms to enforce subscribe permissions at the per-device level.

Additionally, monitoring and auditing subscriptions to sensitive topics can help detect and prevent unauthorized data access.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows any authenticated low-privilege user to access telemetry data and sensitive information from devices they do not own, breaking tenant isolation and exposing private data across unrelated customer accounts.

This unauthorized access to sensitive personal and device data could lead to violations of data protection regulations such as GDPR, which mandates strict controls on personal data access and processing.

Similarly, for regulations like HIPAA, if the exposed telemetry or device data includes protected health information, this vulnerability could result in non-compliance due to unauthorized disclosure.

Overall, the lack of per-device subscribe authorization undermines confidentiality and data access controls required by common standards and regulations.

Useful 0 Not Useful 0