Description
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In NanoMQ version 0.24.6, after enabling auth.http_auth (HTTP authentication), when a client connects to the broker using MQTT CONNECT without providing username/password, and the configuration params uses the placeholders %u / %P (e.g., username="%u", password="%P"), the HTTP request construction phase enters auth_http.c:set_data(). This results in calling strlen() on a NULL pointer, causing a SIGSEGV crash. This crash can be triggered remotely, resulting in a denial of service. This issue has been patched in version 0.24.7.
Published: 2026-03-30
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

NanoMQ MQTT Broker version 0.24.6 contains a Null Pointer Dereference in auth_http.c:set_data() that is triggered when HTTP authentication is enabled and a client connects without providing a username or password. The bug causes a strlen() call on a NULL pointer, leading to a crash (SIGSEGV). This results in a denial of service against the broker process.

Affected Systems

The affected product is NanoMQ, a lightweight MQTT broker designed for edge environments. Vulnerable releases include version 0.24.6; the issue was fixed in 0.24.7.

Risk and Exploitability

The CVSS v3 score of 3.1 indicates low overall severity, but the impact is a service disruption that can be triggered remotely by any client connecting to the broker with auth.http_auth enabled and using placeholder values (%u and %P). EPSS suggests the likelihood of exploitation is under 1%, and the vulnerability is not listed in CISA’s KEV catalog. Despite the low probability, the remote triggerability means that an attacker can perform repeated connections to crash the broker, potentially disrupting downstream applications.

Generated by OpenCVE AI on April 13, 2026 at 16:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NanoMQ to version 0.24.7 or later
  • If an upgrade cannot be performed immediately, disable auth.http_auth or replace placeholder credentials (%u and %P) with real values in the configuration
  • Verify that the broker is restarted after applying the update or configuration changes

Generated by OpenCVE AI on April 13, 2026 at 16:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Emqx
Emqx nanomq
CPEs cpe:2.3:a:emqx:nanomq:*:*:*:*:*:*:*:*
Vendors & Products Emqx
Emqx nanomq

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Nanomq
Nanomq nanomq
Vendors & Products Nanomq
Nanomq nanomq

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In NanoMQ version 0.24.6, after enabling auth.http_auth (HTTP authentication), when a client connects to the broker using MQTT CONNECT without providing username/password, and the configuration params uses the placeholders %u / %P (e.g., username="%u", password="%P"), the HTTP request construction phase enters auth_http.c:set_data(). This results in calling strlen() on a NULL pointer, causing a SIGSEGV crash. This crash can be triggered remotely, resulting in a denial of service. This issue has been patched in version 0.24.7.
Title NanoMQ HTTP Auth: Missing username/password can trigger a NULL-pointer strlen() in auth_http.c:set_data(), causing a process crash — SIGSEGV, remotely triggerable
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

Emqx Nanomq
Nanomq Nanomq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T15:24:06.506Z

Reserved: 2026-03-13T14:33:42.822Z

Link: CVE-2026-32696

cve-icon Vulnrichment

Updated: 2026-03-31T15:24:01.754Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T21:17:09.603

Modified: 2026-04-13T14:07:31.690

Link: CVE-2026-32696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:33Z

Weaknesses