diff --git a/apps/emqx_auth/etc/acl.conf b/apps/emqx_auth/etc/acl.conf
index 3cc0ed5b8..40fe1e1b2 100644
--- a/apps/emqx_auth/etc/acl.conf
+++ b/apps/emqx_auth/etc/acl.conf
@@ -4,7 +4,7 @@
 
 {allow, {ipaddr, "127.0.0.1"}, all, ["$SYS/#", "#"]}.
 
-{deny, all, subscribe, ["$SYS/#", {eq, "#"}]}.
+{deny, all, subscribe, ["$SYS/#", {eq, "#"}, {eq, "+/#"}]}.
 
 {allow, all}.
 %% NOTE! when deploy in production:
diff --git a/changes/ce/fix-13024.en.md b/changes/ce/fix-13024.en.md
new file mode 100644
index 000000000..ea4309f00
--- /dev/null
+++ b/changes/ce/fix-13024.en.md
@@ -0,0 +1,3 @@
+Add a default ACL deny-rule to reject subscription to `+/#` topic.
+
+Since EMQX by default rejects subscription to `#` topic, for completeness, it should reject `+/#` as well.