A vulnerability exists in Mosquitto versions 0.15 to 1.4.11. Pattern based ACLs can be bypassed by clients that set their username/client id to # or +. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto. The vulnerability only comes into effect where pattern based ACLs are in use, or potentially where third party plugins are in use. Fixed In Version: mosquitto 1.4.12 Reference: Patch: