CVE-2026-50085

The Aqara Board service op-test.aqara.com accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS...

CVE-2026-10557

CVE-2026-10557 concerns the Yarbo Android/iOS mobile applications, where hard-coded MQTT broker credentials are embedded in the application binary and identical across all users/devices. These credentials are extractable via APK decompilation and provide access to cloud MQTT brokers carrying real...

CVE-2026-46411

FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.2, authorized clients have the ability to exceed the permitted over-commit of their write buffer and triggering an internal safe-guard exception. This exception was in a path that was not catchable, and...

CVE-2026-49198

Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors...

CVE-2026-49186 Lack of MQTT Broker Topic Access Control Lists

The local MQTT broker does not enforce topic-level Access Control Lists ACLs. This allows any client to subscribe using wildcard characters or + to enumerate hidden network devices or publish rogue control commands...

CVE-2026-49186

CVE-2026-49186 : The provided documents describe a vulnerability in a local MQTT broker where topic-level ACLs are not enforced. This allows any client to subscribe with wildcards (# or +) and enumerate hidden devices, or publish rogue control commands. The issue is rooted in missing access contr...

CVE-2026-49198

Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors...

CVE-2026-49198

CVE-2026-49198 affects Predator Connect W6x: MQTT broker. The issue is improper access control that enables wildcard topic subscriptions, which can expose all MQTT traffic to unauthorized actors. Documents do not specify the vulnerable component beyond the broker, nor do they provide version numb...

CVE-2026-49198 Predator Connect W6x: MQTT Broker Access Control

Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors...

CVE-2026-49198

Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors...

PT-2026-44768

Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors...

CVE-2026-47161 RELATE Vulnerable to Remote Code Execution (RCE) via Insecure Celery Pickle Deserialization

RELATE is a web-based courseware package. Prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb, RELATE LMS configures its Celery workers to accept and deserialize untrusted 'pickle' data. An attacker who can reach the message broker can execute arbitrary commands on the host server. Combined...

CVE-2026-47161 RELATE Vulnerable to Remote Code Execution (RCE) via Insecure Celery Pickle Deserialization

RELATE is a web-based courseware package. Prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb, RELATE LMS configures its Celery workers to accept and deserialize untrusted 'pickle' data. An attacker who can reach the message broker can execute arbitrary commands on the host server. Combined...

UBUNTU-CVE-2026-44838

RabbitMQ is a messaging and streaming broker. From 4.2.0 to before 4.2.4, RabbitMQ's MQTT plugin allows for topic-level authorization using regular expressions with variable substitution. Administrators can create patterns such as ^clientid-sensors$ to restrict user access to topics that include...

CVE-2026-44838 RabbitMQ MQTT Topic Permission Authorization Bypass

RabbitMQ is a messaging and streaming broker. From 4.2.0 to before 4.2.4, RabbitMQ's MQTT plugin allows for topic-level authorization using regular expressions with variable substitution. Administrators can create patterns such as ^clientid-sensors$ to restrict user access to topics that include...

CVE-2026-41704

AgentClienthandlemethod lines 264-303 processes every NATS reply. It calls injectcompilelog line 273 on every response, which reads response'value''result''compilelogid' line 332-338 and passes it to downloadanddeleteblob. Separately, any response containing 'exception' goes through formatexcepti...

EUVD-2026-29102

In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization a...

CVE-2026-33356 Meari MQTT broker missing per-device subscribe ACL

In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization a...

EUVD-2026-28400

The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization...

curl: MQTT CONNACK Packet Type Bypass leads to RCE via Malicious Broker

Summary: mqttverifyconnack in lib/mqtt.c never checks that the received packet type is actually a CONNACK 0x20. The constant MQTTMSGCONNACK is commented out at line 45, making the check impossible to write. A malicious broker can send any packet — e.g. PUBACK 0x40 — with remaininglength=2 and...