CVE-2026-49186

Severity CVSS v4.0:
HIGH
Type:
CWE-287 Authentication Issues
Publication date:
04/06/2026
Last modified:
04/06/2026

Description

The local MQTT broker does not enforce topic-level Access Control Lists (ACLs). This allows any client to subscribe using wildcard characters (# or +) to enumerate hidden network devices or publish rogue control commands.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:acer:connect_m6e_5g_firmware:*:*:*:*:*:*:*:* m6e_ai_1.00.000019 (including)
cpe:2.3:h:acer:connect_m6e_5g:-:*:*:*:*:*:*:*


References to Advisories, Solutions, and Tools