[Request]: eBus MQTT broker does not enforce publish ACLs — consumer clients can corrupt device state #7
Description
Request Type
Other
Description
eBus MQTT Broker Does Not Enforce Publish ACLs
Summary
The eBus MQTT broker on SPAN Panel does not enforce publish ACLs for
consumer clients. Any authenticated consumer can publish to any topic in
the ebus/5/{serial}/ namespace, including the panel's own Homie device
state topics ($state, $description, and property values).
firmware: spanos2/r202603/05
Impact
A consumer client that sets an MQTT Last Will and Testament (LWT) on
ebus/5/{serial}/$state with payload lost (retained) will permanently
corrupt the broker's retained state if the client disconnects ungracefully.
All subsequent Homie-compliant consumers will see $state=lost and refuse
to connect, since the panel does not re-publish $state=ready to overwrite
the corrupted retained message.
Steps to Reproduce
- Authenticate a consumer client via
/api/v2/auth/register - Connect to the eBus broker
- Publish a retained message to
ebus/5/{serial}/$statewith payloadlost - Disconnect
- Connect a new consumer — it will see
$state=lostand never receiveready
Expected Behavior
The broker should enforce topic ACLs per the Homie convention:
| Client | Publish | Subscribe |
|---|---|---|
| Panel (device) | ebus/5/{serial}/# |
ebus/5/{serial}/+/+/set |
| Consumer | ebus/5/{serial}/+/+/set only |
ebus/5/{serial}/# |
Consumer clients should only be permitted to publish to /set suffixed
topics (relay control, priority set, etc.). Publishes to $state,
$description, or bare property topics should be rejected by the broker.
Workaround
Consumer implementations must avoid setting an LWT and must not publish to
any topic other than .../set. If state corruption occurs, the only
recovery is a broker (panel) reboot.
Use Case
No response