CVE-2026-33215
published 2026-03-24CVE-2026-33215: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to…
PriorityP337medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.24%
15.0th percentile
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nats-server | < nats-server 2.12.6-1 (forky) | nats-server 2.12.6-1 (forky) |
| github.com | nats-io_nats-server_v2 | >= 0 < 2.11.15 | 2.11.15 |
| github.com | nats-io_nats-server_v2 | >= 2.12.0-RC.1 < 2.12.6 | 2.12.6 |
| linuxfoundation | nats-server | >= 0 < 2.12.6-1 | 2.12.6-1 |
| linuxfoundation | nats-server | >= 2.0.0 < 2.11.15 | 2.11.15 |
| linuxfoundation | nats-server | >= 2.12.0 < 2.12.5 | 2.12.5 |
| nats-io | nats-server | < 2.11.15 | 2.11.15 |
| nats-io | nats-server | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
ghsa6.5MEDIUM
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
NATS is vulnerable to MQTT hijacking via Client ID in github.com/nats-io/nats-server
osv·2026-03-26
CVE-2026-33215 NATS is vulnerable to MQTT hijacking via Client ID in github.com/nats-io/nats-server
NATS is vulnerable to MQTT hijacking via Client ID in github.com/nats-io/nats-server
NATS is vulnerable to MQTT hijacking via Client ID in github.com/nats-io/nats-server
OSV
CVE-2026-33215: NATS-Server is a High-Performance server for NATS
osv·2026-03-24·CVSS 6.5
CVE-2026-33215 [MEDIUM] CVE-2026-33215: NATS-Server is a High-Performance server for NATS
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.
OSV
NATS is vulnerable to MQTT hijacking via Client ID
osv·2026-03-24·CVSS 6.5
CVE-2026-33215 [MEDIUM] NATS is vulnerable to MQTT hijacking via Client ID
NATS is vulnerable to MQTT hijacking via Client ID
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
### Problem Description
Sessions and Messages can by hijacked via MQTT Client ID malfeasance.
### Affected Versions
Any version before v2.12.6 or v2.11.15
### Workarounds
None.
### Resources
* This document is canonically:
* GHSA advisory:
* MITRE CVE entry:
GHSA
NATS is vulnerable to MQTT hijacking via Client ID
ghsa·2026-03-24·CVSS 6.5
CVE-2026-33215 [MEDIUM] CWE-287 NATS is vulnerable to MQTT hijacking via Client ID
NATS is vulnerable to MQTT hijacking via Client ID
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
### Problem Description
Sessions and Messages can by hijacked via MQTT Client ID malfeasance.
### Affected Versions
Any version before v2.12.6 or v2.11.15
### Workarounds
None.
### Resources
* This document is canonically:
* GHSA advisory:
* MITRE CVE entry:
Red Hat
nats-server: NATS-Server: Session and message hijacking via MQTT Client ID malfeasance
vendor_redhat·2026-03-24·CVSS 6.5
CVE-2026-33215 [MEDIUM] CWE-290 nats-server: NATS-Server: Session and message hijacking via MQTT Client ID malfeasance
nats-server: NATS-Server: Session and message hijacking via MQTT Client ID malfeasance
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.
A flaw was found in NATS-Server. A remote attacker could exploit this vulnerability by manipulating MQTT (Message Queuing Telemetry Transport) Client IDs. This malfeasance allows for the hijacking of client sessions and messages. This could lead to unauthorized access to sensitive information or disruption of service.
Package: multicluster-globalhub/multicluster-globalhub
Debian
CVE-2026-33215: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
vendor_debian·2026·CVSS 6.5
CVE-2026-33215 [MEDIUM] CVE-2026-33215: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.
Scope: local
bookworm: open
forky: resolved (fixed in 2.12.6-1)
sid: resolved (fixed in 2.12.6-1)
trixie: open
No detection rules found.
No public exploits indexed.
2026-03-24
Published