Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.
Published: 2026-03-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session hijacking via MQTT Client ID manipulation
Action: Patch immediately
AI Analysis

Impact

The vulnerability allows an attacker to hijack active sessions and messages in the NATS-Server by crafting a malicious MQTT Client ID. This weakness can be exploited to gain unauthorized control over communication flows, potentially leading to data interception or tampering with the messaging system.

Affected Systems

The flaw affects the nats-server by nats-io. Versions earlier than 2.11.15 and 2.12.5 are vulnerable. The issue is fixed starting with 2.11.15 and 2.12.5 and any later releases.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is less than 1%, suggesting low exploitation probability, and the vulnerability is not present in the CISA KEV catalog. Based on the description, the likely attack vector involves a malicious MQTT client connecting to the server with a crafted Client ID, allowing the attacker to hijack existing sessions or manipulate messages.

Generated by OpenCVE AI on March 31, 2026 at 05:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nats-server to version 2.11.15 or later 2.12.5 or a newer release.

Generated by OpenCVE AI on March 31, 2026 at 05:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fcjp-h8cc-6879 NATS is vulnerable to MQTT hijacking via Client ID
History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 26 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation nats-server
CPEs cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation nats-server

Wed, 25 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nats
Nats nats Server
Vendors & Products Nats
Nats nats Server

Tue, 24 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.
Title NATS is vulnerable to MQTT hijacking via Client ID
Weaknesses CWE-287
CWE-488
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L'}

Subscriptions

Linuxfoundation Nats-server
Nats Nats Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:05:12.279Z

Reserved: 2026-03-17T23:23:58.314Z

Link: CVE-2026-33215

cve-icon Vulnrichment

Updated: 2026-03-25T13:05:05.816Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T21:16:28.640

Modified: 2026-03-26T17:19:15.823

Link: CVE-2026-33215

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T20:55:53Z

Links: CVE-2026-33215 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:09:18Z

Weaknesses