CVE-2026-46411: FlashMQ Authentication DoS via Write Buffer Overflow
FlashMQ, an MQTT broker used in multi-CPU environments, contains a flaw that allows authenticated users to deliberately overwhelm the server's write buffer beyond its intended limits. When this happens, the server triggers a safety mechanism that crashes the entire broker rather than gracefully handling the condition. An attacker with valid credentials can exploit this to cause a denial of service, taking the messaging broker offline.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-248
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.2, authorized clients have the ability to exceed the permitted over-commit of their write buffer and triggering an internal safe-guard exception. This exception was in a path that was not catchable, and therefore causes a server abort. This issue has been patched in version 1.26.2.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46411 is a denial-of-service vulnerability in FlashMQ versions prior to 1.26.2 stemming from inadequate exception handling (CWE-248). Authenticated clients can craft MQTT write operations that exceed the configured over-commit threshold for client write buffers. The server's internal safeguard exception is thrown in a non-catchable code path, leading to an unhandled exception that aborts the broker process. The vulnerability requires valid client credentials and network access but no user interaction, resulting in a CVSS 3.1 score of 6.5 (Medium severity).
Business impact
Organizations running FlashMQ for IoT messaging, industrial automation, or real-time data ingestion face availability risk. A compromised or malicious internal user with broker credentials can trigger broker restarts, disrupting message flow to dependent systems. For deployments without automated failover or health monitoring, this translates to service interruption and potential data loss if messages queue unbounded during outages. The impact is limited to availability; confidentiality and integrity of message data are not compromised.
Affected systems
FlashMQ versions before 1.26.2 are affected. The vendor_products field in source data is empty, indicating no specific commercial product integrations are flagged; however, any self-hosted or embedded FlashMQ deployment at an older version is vulnerable. Organizations should audit their MQTT broker inventory and version state.
Exploitability
Exploitation requires valid MQTT client credentials and network access to the broker. The attack is trivial to execute—a standard MQTT client library can be used to send crafted publish messages that accumulate in the write buffer without requiring sophisticated techniques or user interaction. However, the need for prior authentication means opportunistic external exploitation is unlikely; the primary risk is from insider threats or compromised client applications with broker credentials.
Remediation
Upgrade FlashMQ to version 1.26.2 or later. This release includes patches to the exception handling logic in the write buffer management path, ensuring that over-commit conditions are caught and handled without crashing the broker. Organizations should plan an upgrade within their maintenance windows and test in a staging environment before production deployment.
Patch guidance
Update to FlashMQ 1.26.2 or newer. Coordinate the upgrade with operational windows to minimize messaging downtime. If running FlashMQ in a clustered or High Availability setup, rolling restarts may be performed to maintain availability during the upgrade. Verify the upgrade by confirming the broker version post-deployment and running load tests to confirm stability under normal buffer pressure.
Detection guidance
Monitor FlashMQ logs for unexpected broker exits or crashes, particularly those preceded by write buffer warnings or over-commit messages. Implement alerting on broker process restarts or abnormal terminations. Network-level detection is difficult since the attack uses valid credentials and standard MQTT protocol; focus on application-level anomaly detection such as a single client causing repeated broker restarts, or unusual patterns of rapid publish bursts followed by connectivity drops. Review MQTT client logs for failed connections or session resets correlating with broker outages.
Why prioritize this
Although the CVSS score is Medium (6.5), the practical impact and ease of exploitation from an authenticated attacker warrant timely patching. The vulnerability enables straightforward denial of service with minimal technical barriers, and the affected component—a message broker—is often critical to system continuity. Prioritize patches for production MQTT deployments, especially those handling time-sensitive or safety-related messaging. Non-production or development systems can follow standard update schedules.
Risk score, explained
CVSS 3.1 Base Score of 6.5 reflects a network-accessible service (AV:N) requiring low complexity to exploit (AC:L) and valid authentication (PR:L), with no confidentiality or integrity impact but high availability impact (A:H). The score appropriately captures that the vulnerability requires an insider or compromised client, limiting external attack surface, but enables trivial denial of service once credentials are obtained. Organization-specific risk may be higher or lower depending on the criticality of the MQTT broker and the trustworthiness of internal users with client credentials.
Frequently asked questions
Can this vulnerability be exploited without valid MQTT credentials?
No. CVE-2026-46411 requires the attacker to authenticate as an authorized MQTT client. External, unauthenticated attackers cannot trigger the vulnerability. The risk is primarily from insider threats or applications that have been compromised and possess valid broker credentials.
Does upgrading to 1.26.2 require downtime?
Not necessarily. If your FlashMQ deployment is clustered or configured for High Availability, you can perform rolling restarts of broker instances while load balancers route traffic to unaffected nodes. Single-broker deployments will experience a brief outage during the upgrade. Test the upgrade in staging first and plan the maintenance window accordingly.
Are there workarounds if we cannot upgrade immediately?
Implement network-level access controls to limit which clients or applications can connect to the broker, and monitor for anomalous publish patterns. However, these are mitigations, not fixes. Upgrade to 1.26.2 as soon as feasible since the exploit is straightforward for any authenticated user.
What makes this vulnerability different from other DoS issues?
This vulnerability is notable because it exploits a safeguard mechanism itself. The server's crash is not due to resource exhaustion but to an unhandled exception in the code path that is supposed to prevent abuse. The patch fixes the exception handling, turning what was a fatal error into a controlled rejection of the offending operation.
This vulnerability intelligence is provided for informational and remediation planning purposes. Organizations should verify all patch version numbers and availability against official vendor advisories and release notes. CVSS scores are provided by the vendor and should be contextually assessed for your specific environment. This analysis does not constitute security advice; consult with your security team and vendor for deployment-specific guidance. No exploit code or weaponized proof-of-concept is provided or endorsed. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-45554MEDIUMNiceGUI Static Asset Route Log Flooding Vulnerability
- CVE-2026-45676MEDIUMOpenTelemetry eBPF Instrumentation ELF Parser Denial of Service
- CVE-2026-45685HIGHOpenTelemetry eBPF Instrumentation MongoDB Parser DoS (v0.1.0–0.8.x)
- CVE-2026-46545HIGHNimiq State Sync Denial-of-Service Vulnerability (CVSS 7.5)
- CVE-2016-20064MEDIUMWP Vault 0.8.6.6 Arbitrary File Read via Directory Traversal
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)