cbcvebase.
CVE-2026-33216
published 2026-03-25

CVE-2026-33216: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments…

PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.36%
28.4th percentile
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiannats-server< nats-server 2.12.6-1 (forky)nats-server 2.12.6-1 (forky)
github.comnats-io_nats-server_v2>= 0 < 2.11.152.11.15
github.comnats-io_nats-server_v2>= 2.12.0-RC.1 < 2.12.62.12.6
linuxfoundationnats-server< 2.11.152.11.15
linuxfoundationnats-server>= 0 < 2.12.6-12.12.6-1
linuxfoundationnats-server>= 2.12.0 < 2.12.62.12.6
nats-ionats-server< 2.11.152.11.15
nats-ionats-server

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian8.6HIGH
vendor_redhat8.6HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.