A vulnerability exists in Mosquitto versions 0.15 to 1.4.12 inclusive known as CVE-2017-9868.
If persistence is enabled, then the persistence file is created world readable, which has the potential to make sensitive information available to any local user.
Patches are available to fix this for Unix like operating systems (i.e. not Windows): https://mosquitto.org/files/cve/2017-9868/
This will be fixed in version 1.4.13, due to be released shortly.
This can also be fixed administratively by removing world read permissions for the directory that the persistence file is stored in. In many systems this can be achieved with:
chmod 700 /var/lib/mosquitto