CVE-2026-33216 - Vulnerability Details

- NATS has MQTT plaintext password disclosure

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.

Published: 2026-03-25

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in NATS‑Server allows an attacker to read MQTT passwords in clear text. Passwords are mistakenly exposed as non‑authenticating identity statements and can be retrieved through monitoring endpoints. This flaw can compromise user credentials, leading to unauthorized access to MQTT topics and possible downstream systems, thereby violating confidentiality.

Affected Systems

Affected by the NATS.io community in the nats‑io:nats‑server product. Versions prior to 2.11.15 of the 2.11.x series and prior to 2.12.6 of the 2.12.x series are impacted. The fix is incorporated starting at 2.11.15 and 2.12.6.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity, while the EPSS value of less than 1 % suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, but it remains a significant risk if monitoring endpoints are reachable. Attackers gain read access through the monitoring API when it is improperly exposed, and the exploit path requires network connectivity to that endpoint. Once compromised, an attacker can obtain stored passwords for MQTT users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nats-io

nats-server

affected

Version	Status	Constraints
`< 2.11.15`	affected	—
`>= 2.12.0-RC.1, < 2.12.6`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:linuxfoundation:nats-server::::::::
	cpe:2.3:a:linuxfoundation:nats-server::::::::

No data.

Vendor Product Confidence Versions

Nats

Nats Server

91%

Version	Status	Scheme	Platform
`[0,2.11.15)`	affected	semver	—
`[2.12.0-RC.1,2.12.6)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest version of NATS‑Server (2.11.15 or newer, or 2.12.6 or newer).
Restrict access to the monitoring endpoints using firewall rules or network segmentation.

Generated by OpenCVE AI on March 26, 2026 at 18:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-v722-jcv5-w7mc	NATS has MQTT plaintext password disclosure

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00044.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://advisories.nats.io/CVE/secnote-2026-05.txt
https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099
https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc
https://nvd.nist.gov/vuln/detail/CVE-2026-33216
https://www.cve.org/CVERecord?id=CVE-2026-33216

History

Sat, 28 Mar 2026 03:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linuxfoundation Linuxfoundation nats-server
CPEs		cpe:2.3:a:linuxfoundation:nats-server::::::::
Vendors & Products		Linuxfoundation Linuxfoundation nats-server

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nats Nats nats Server
Vendors & Products		Nats Nats nats Server

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-213
References		https://nvd.nist.gov/vuln/detail/CVE-2026-33216 https://www.cve.org/CVERecord?id=CVE-2026-33216
Metrics	threat_severity `None`	threat_severity `Important`

Wed, 25 Mar 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.
Title		NATS has MQTT plaintext password disclosure
Weaknesses		CWE-256
References		https://advisories.nats.io/CVE/secnote-2026-05.txt https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099 https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

Linuxfoundation Nats-server

Nats Nats Server

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-25T19:41:55.670Z

Updated: 2026-03-28T01:37:49.970Z

Reserved: 2026-03-17T23:23:58.314Z

Link: CVE-2026-33216

Vulnrichment

Updated: 2026-03-28T01:37:43.557Z

NVD

Status : Analyzed

Published: 2026-03-25T20:16:32.320

Modified: 2026-03-26T17:14:04.097

Link: CVE-2026-33216

Redhat

Severity : Important

Publid Date: 2026-03-25T19:41:55Z

Links: CVE-2026-33216 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:30:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object