How is CVE-2026-49186 exploited?

Network reachability (required): The attacker must reach the MQTT broker service over the network; the broker listens on a network-accessible port on the router. Authentication (required): A privileged (admin-level) account credential is needed to connect as an MQTT client, though once authenticated no further topic-level restrictions are enforced. Victim interaction (not-required): No user interaction is needed; the attacker operates entirely against the broker service without involving any other party. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental setup beyond network access and valid credentials.

What is the impact of CVE-2026-49186?

Attacker subscribes to all MQTT topics using wildcard characters, enumerating hidden devices and internal network topology information the broker carries. Attacker publishes rogue control commands to any topic, directing connected devices to take unintended actions. Confidentiality of all data in transit through the broker is compromised, including device state, sensor readings, and configuration payloads. Integrity of the router's connected-device ecosystem is compromised as injected commands can override legitimate control messages.

Back to search

HIGHCVE-2026-49186Published 2026-06-04Modified 2026-06-04CNA Acer

CVE-2026-49186: Lack of MQTT Broker Topic Access Control Lists

The local MQTT broker does not enforce topic-level Access Control Lists (ACLs). This allows any client to subscribe using wildcard characters (# or +) to enumerate hidden network devices or publish rogue control commands.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a missing access-control vulnerability in the Acer Connect M6E 5G Portable WiFi Router firmware (versions up to and including M6E_AI_1.00.000019). The embedded MQTT broker runs without topic-level Access Control Lists, meaning any authenticated client that can reach the broker over the network can subscribe to all topics using wildcard characters or publish arbitrary control messages. Successful exploitation lets an attacker enumerate hidden network devices on the router and issue rogue commands to connected clients. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Acer publishes a fix version.

HarborGuard Coverage

Detection

Detection for CVE-2026-49186 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that incorporate affected Acer firmware layers.

Available

Triage

HarborGuard scores this CVE at 8.6 HIGH using the CVSS v4.0 vector and weights it against each environment's compliance policy to determine routing priority; findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published by Acer, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without any manual trigger.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the MQTT broker service over the network; the broker listens on a network-accessible port on the router.
AuthenticationRequired
A privileged (admin-level) account credential is needed to connect as an MQTT client, though once authenticated no further topic-level restrictions are enforced.
Victim interactionNot required
No user interaction is needed; the attacker operates entirely against the broker service without involving any other party.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental setup beyond network access and valid credentials.

Blast Radius

Attacker subscribes to all MQTT topics using wildcard characters, enumerating hidden devices and internal network topology information the broker carries.
Attacker publishes rogue control commands to any topic, directing connected devices to take unintended actions.
Confidentiality of all data in transit through the broker is compromised, including device state, sensor readings, and configuration payloads.
Integrity of the router's connected-device ecosystem is compromised as injected commands can override legitimate control messages.

How HarborGuard Handles This

Available on HarborGuard: because Acer has not yet published a fix version for CVE-2026-49186, the platform monitors the upstream advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include applying network-policy rules to restrict which internal hosts can reach the router's MQTT broker port, enabling egress filtering to prevent unauthorized external MQTT connections, and where firmware configuration permits, disabling wildcard subscription support or restricting MQTT client authentication to a tightly scoped allowlist. HarborGuard will surface updated findings as soon as the advisory status changes.

See how HarborGuard automates this

Affected packages

Acer / Connect M6E 5G Portable WiFi Router
≤ M6E_AI_1.00.000019

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

community.acer.com

Metrics

Get notified