CVE-2026-33217 — Incorrect Authorization in Nats-server

CWE-863 — Incorrect Authorization CWE-425 — Forced Browsing8 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 92.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nats-io Nats-server Linuxfoundation Nats-server Github.com Nats-io Nats-server V2 +1 more

Timeline

PublishedMar 25

Latest updateMar 26

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages5 packages

▶debiandebian/nats-server< nats-server 2.12.6-1 (forky)

▶CVEListV5nats-io/nats-server< 2.11.15+1

▶NVDlinuxfoundation/nats-server2.12.0 — 2.12.6+1

▶Gogithub.com/nats-io_nats-server_v22.12.0-RC.1 — 2.12.6+1

▶Debianlinuxfoundation/nats-server< 2.12.6-1

🔴Vulnerability Details

OSV

NATS allows MQTT clients to bypass ACL checks in github.com/nats-io/nats-server↗2026-03-26

▶

OSV

CVE-2026-33217: NATS-Server is a High-Performance server for NATS↗2026-03-25

▶

OSV

NATS allows MQTT clients to bypass ACL checks↗2026-03-24

▶

GHSA

NATS allows MQTT clients to bypass ACL checks↗2026-03-24

▶

📋Vendor Advisories

Red Hat

nats-server: github.com/nats-io/nats-server: NATS-Server: Access control bypass via unapplied ACLs in MQTT namespace↗2026-03-25

▶

Debian

CVE-2026-33217: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33217 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶