CVE-2026-49186
CRITICAL WAF: Low
CVSS 9.8
Published: 2026-06-04
CWE-287
The local MQTT broker does not enforce topic-level Access Control Lists (ACLs). This allows any client to subscribe using wildcard characters (# or +) to enumerate hidden network devices or publish rogue control commands.
WAF Coverage Analysis
Improper Authentication
Low WAF Coverage
OWASP: A07:2021 Identification and Authentication Failures
Affected Software
| Vendor | Product | Version |
|---|---|---|
| acer | connect_m6e_5g_firmware | up to m6e_ai_1.00.000019 |
References
- community.acer.com (Mitigation, Vendor Advisory)