CVE-2026-8741

A race condition exists in EMQX's QoS 2 PUBLISH packet handler (apps/emqx/src/emqx_persistent_session_ds.erl lines 520-522) where the broker publishes messages to subscribers before asynchronously committing the PacketId to persistent storage [1]. This non-atomic operation sequence violates the MQTT QoS 2 'exactly once' delivery guarantee in persistent sessions.

An attacker can exploit this by triggering the race window through a remote connection. Prerequisites include a broker with persistent sessions (DS storage), a client with clean_session=false, and at least one subscriber. During the window between message publication and the async state commit timer, a broker crash or client reconnection to a different cluster node can cause the PacketId to be lost, leading to duplicate delivery on retransmission [1]. The exploit is difficult due to the precise timing required.

Successful exploitation results in duplicate delivery of QoS 2 messages, which can have severe business consequences such as duplicate financial transactions or duplicate IoT commands (e.g., unlocking a door twice) [1].

The vendor was contacted early about this disclosure [1]. As of the publication date, no patch is mentioned, but users are advised to monitor EMQX updates for fixes. Given the low CVSS score (3.1) and high complexity, the risk is limited but should be addressed in environments where exactly-once delivery is critical.