| tiêu đề | EMQ Technologies Inc. EMQX Enterprise 6.1.0 Improper Access Control |
|---|
| Mô tả | EMQX Enterprise versions 6.1.0 and earlier improperly manage MQTT sessions by using Client ID as the sole session identifier without binding it to the authenticated username. An authenticated attacker can connect to the broker using another user’s Client ID. Because the broker does not verify whether the Client ID belongs to the connecting user, it terminates the existing connection of the legitimate client, resulting in denial of service. The attacker only needs valid credentials and knowledge of the target Client ID; the victim’s password is not required. This issue enables cross‑user session takeover and disruption in multi‑tenant deployments. |
|---|
| Nguồn | ⚠️ https://github.com/cailiujia/CVE |
|---|
| Người dùng | CCCaaa (UID 96811) |
|---|
| Đệ trình | 26/03/2026 09:38 (cách đây 26 ngày) |
|---|
| Kiểm duyệt | 18/04/2026 18:07 (23 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 358201 [EMQ EMQX Enterprise đến 6.1.0 Session Handling nâng cao đặc quyền] |
|---|
| điểm | 19 |
|---|