CVE-2026-33215 — Improper Authentication in Nats-server

CWE-287 — Improper Authentication CWE-488 — Exposure of Data Element to Wrong Session CWE-290 — Authentication Bypass by Spoofing8 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 97.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nats-io Nats-server Linuxfoundation Nats-server Github.com Nats-io Nats-server V2 +1 more

Timeline

PublishedMar 24

Latest updateMar 26

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages5 packages

▶debiandebian/nats-server< nats-server 2.12.6-1 (forky)

▶CVEListV5nats-io/nats-server< 2.11.15+1

▶NVDlinuxfoundation/nats-server2.0.0 — 2.11.15+1

▶Gogithub.com/nats-io_nats-server_v22.12.0-RC.1 — 2.12.6+1

▶Debianlinuxfoundation/nats-server< 2.12.6-1

🔴Vulnerability Details

OSV

NATS is vulnerable to MQTT hijacking via Client ID in github.com/nats-io/nats-server↗2026-03-26

▶

OSV

CVE-2026-33215: NATS-Server is a High-Performance server for NATS↗2026-03-24

▶

OSV

NATS is vulnerable to MQTT hijacking via Client ID↗2026-03-24

▶

GHSA

NATS is vulnerable to MQTT hijacking via Client ID↗2026-03-24

▶

📋Vendor Advisories

Red Hat

nats-server: NATS-Server: Session and message hijacking via MQTT Client ID malfeasance↗2026-03-24

▶

Debian

CVE-2026-33215: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33215 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶