coreMQTT CVE-2026-8686: DoS via Crafted MQTT v5.0 Packet
The National Vulnerability Database has detailed CVE-2026-8686, a critical vulnerability in coreMQTT’s v5.0 property parser. Specifically, missing bounds validation in versions prior to 5.0.1 allows a malicious MQTT broker to trigger a denial of service (DoS) by transmitting a specially crafted packet. This flaw, rated with a CVSS score of 7.5 (HIGH), directly impacts the availability of MQTT services.
This isn’t some theoretical edge case. An attacker, acting as a rogue broker or compromising an existing one, could easily weaponize this to disrupt critical IoT and messaging infrastructure. The attack vector is network-based, requires no privileges, and no user interaction, making it highly accessible for adversaries.
Defenders must prioritize patching. The National Vulnerability Database recommends upgrading coreMQTT to version 5.0.1 immediately. This is a straightforward fix for a high-impact vulnerability that could cripple services reliant on MQTT for real-time communication.
What This Means For You
- If your organization utilizes coreMQTT, specifically versions prior to 5.0.1, you are exposed to a denial-of-service attack. Prioritize upgrading to coreMQTT v5.0.1 to mitigate CVE-2026-8686 immediately. Failure to patch could lead to significant operational disruption.
Related ATT&CK Techniques
🛡️ Detection Rules
1 rule · 6 SIEM formats1 detection rule auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-8686 - coreMQTT v5.0.1 DoS via Crafted MQTT v5.0 Packet
title: CVE-2026-8686 - coreMQTT v5.0.1 DoS via Crafted MQTT v5.0 Packet
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
Detects a potential denial of service attack targeting coreMQTT versions prior to 5.0.1. This rule looks for web server logs indicating an MQTT v5.0 connection attempt that results in a server error (HTTP 500), which could be indicative of a crafted packet exploiting the vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-8686/
tags:
- attack.impact
- attack.t1499
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'MQTTv5.0'
sc-status:
- 500
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-8686 | DoS | coreMQTT |
| CVE-2026-8686 | DoS | coreMQTT before 5.0.1 |
| CVE-2026-8686 | DoS | MQTT v5.0 property parser |
| CVE-2026-8686 | DoS | Missing bounds validation |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 15, 2026 at 22:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition
CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...
CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI
CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...
Open WebUI CVE-2026-45399: Low-Privilege Users Disrupt System-Wide AI Tasks
CVE-2026-45399 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can...