EMQX QoS 2 Race Condition CVE-2026-8741 Affects Up to 6.2.0

Executive Summary

A race condition vulnerability tracked as CVE-2026-8741 has been disclosed in EMQX, the open-source MQTT message broker, affecting all versions up to and including 6.2.0. The flaw resides in the QoS 2 PUBLISH packet handler within the file apps/emqx/src/emqx_persistent_session_ds.erl. According to the NVD entry and a public report by researcher Pathfind-tama, the vulnerability enables a remote attacker to trigger a race condition that may corrupt persistent session state. The CVSS 3.1 base score is 3.1, reflecting the high attack complexity and difficult exploitation conditions. No patch has been released as of May 17, 2026.

Technical Analysis

The vulnerability specifically targets the QoS 2 (Exactly Once) delivery mechanism in EMQX's persistent session subsystem. QoS 2 is the highest MQTT quality-of-service level, requiring a four-packet handshake to ensure a message is delivered exactly once. The race condition arises in the emqx_persistent_session_ds.erl module, which manages session state for durable subscribers.

According to the researcher's report on GitHub, the flaw can be triggered by sending a crafted sequence of QoS 2 PUBLISH packets under specific timing conditions. The race window occurs between session state lookups and updates, potentially leading to inconsistent session metadata. An attacker who successfully exploits this could cause message duplication, session desynchronization, or denial of service for legitimate subscribers relying on persistent sessions.

EMQX is widely deployed in IoT, industrial control, and telecommunications environments where MQTT brokers handle millions of devices. The persistent session feature is critical for devices with intermittent connectivity, as it allows the broker to store undelivered messages until the client reconnects. A race condition in this subsystem could undermine delivery guarantees that many operational technology deployments depend on.

The CVSS 3.1 vector string has not been fully published by NVD, but the assigned base score of 3.1 indicates the attack requires significant expertise and favorable network conditions. The vulnerability is classified as high complexity and difficult to exploit, per the source material. No proof-of-concept exploit code has been publicly released.

Mitigations & Recommendations

As of this writing, EMQX has not released a patched version addressing CVE-2026-8741. Organizations running EMQX 6.2.0 or earlier should take the following steps:

• Monitor EMQX official channels (GitHub, forums, mailing list) for a security release. The fix will likely involve adding proper locking or atomic operations in the emqx_persistent_session_ds.erl handler.
• Restrict network access to the MQTT broker to trusted clients only. Use TLS mutual authentication and IP allowlists to reduce the attack surface.
• Disable QoS 2 for untrusted client connections if operational requirements permit. QoS 1 (At Least Once) or QoS 0 (At Most Once) do not trigger the vulnerable code path.
• Enable session auditing in EMQX to detect anomalous session state transitions. Logs from the persistent session module may reveal exploitation attempts.
• Segment IoT/OT networks from corporate IT infrastructure to limit blast radius in the event of a compromise.

Defenders should treat this vulnerability with caution despite the low CVSS score, as the impact on session integrity could cascade into data loss or misdelivery in critical infrastructure settings.