CVE-2026-8741
3.1 LOWA vulnerability has been found in EMQX up to 6.2.0
Published: 2026-05-17 · Last updated: 2026-05-20
Severity and scoring
- CVSS
- 3.1 LOW
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
- CWE
- CWE-362
Affected products
| Vendor | Product |
|---|---|
| emqx | emqx |
Description
A vulnerability has been found in EMQX up to 6.2.0. This affects an unknown function of the file apps/emqx/src/emqx_persistent_session_ds.erl of the component QoS 2 PUBLISH Packet Handler. Such manipulation leads to race condition. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is reported as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8741
- [Other]https://github.com/Pathfind-tama/Report_EMQX_MQTT
- [Exploit reference]https://github.com/Pathfind-tama/Report_EMQX_MQTT/blob/main/MQTT%20QoS%202%20Message%20Duplication%20in%20Persistent%20Sessions.md
- [Other]https://vuldb.com/submit/809931
- [Other]https://vuldb.com/vuln/364329
- [Other]https://vuldb.com/vuln/364329/cti
Related CVEs
Same CWE
- CVE-2026-46693 — ImageMagick is free and open-source software used for editing and manipulating digital images (4.1 MEDIUM)
- CVE-2026-44693 — Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker (8.8 HIGH)
- CVE-2022-26758 — A malicious application may cause unexpected changes in memory shared between processes (7.1 HIGH)
- CVE-2026-1220 — Race in V8 in Google Chrome prior to 144.0.7559.99 allowed a remote attacker to potentially exploit type confusion via a crafted HTML page (7.5 HIGH)
- CVE-2026-45603 — Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally (7.0 HIGH)