{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33216", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.314Z", "datePublished": "2026-03-25T19:41:55.670Z", "dateUpdated": "2026-03-25T19:47:49.517Z"}, "containers": {"cna": {"title": "NATS has MQTT plaintext password disclosure", "problemTypes": [{"descriptions": [{"cweId": "CWE-256", "lang": "en", "description": "CWE-256: Plaintext Storage of a Password", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc"}, {"name": "https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099", "tags": ["x_refsource_MISC"], "url": "https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-05.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-05.txt"}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"version": "< 2.11.15", "status": "affected"}, {"version": ">= 2.12.0-RC.1, < 2.12.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T19:47:49.517Z"}, "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users."}], "source": {"advisory": "GHSA-v722-jcv5-w7mc", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users."}], "id": "CVE-2026-33216", "lastModified": "2026-03-25T20:16:32.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T20:16:32.320", "references": [{"source": "security-advisories@github.com", "url": "https://advisories.nats.io/CVE/secnote-2026-05.txt"}, {"source": "security-advisories@github.com", "url": "https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099"}, {"source": "security-advisories@github.com", "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-256"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T21:39:23.838300+00:00", "value": {"mitigation_remediation": ["Update the NATS Server to version 2.11.15 or later 2.12.6 or newer.", "If immediate upgrade is not possible, secure the monitoring endpoints by limiting access to trusted internal networks or applying network segmentation."], "summary": {"action": "Apply patch", "impact": "Plaintext password disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is NATS-IO NATS Server. Versions before 2.11.15 and 2.12.6 contain the flaw; these releases are susceptible to the disclosure. Later releases, starting with 2.11.15 and 2.12.6, include the fix.", "description_and_impact": "The vulnerability involves MQTT passwords being incorrectly treated as non-authenticating identity statements, causing them to be exposed through monitoring endpoints. This flaw leads to plaintext credential leakage, allowing an attacker who can reach these endpoints to retrieve user passwords. The weakness corresponds to Credential Management \u2013 Plaintext Storage (CWE-256).", "risk_and_exploitability": "The CVSS score of 8.6 indicates high severity, and the flaw is not listed in the CISA KEV catalog. Since the exposed credentials are available through monitoring endpoints, the likely attack vector is remote access to those endpoints; protection can be achieved by restricting the monitoring interface to trusted networks. No EPSS score is provided, so the exact exploit probability is unknown."}}}}, "created": "2026-03-25T21:46:23.121322+00:00", "updated": "2026-03-25T21:46:23.121347+00:00", "vendors": []}