anonhaven
Ad

CVE-2026-33215

MEDIUM CVSS 3.1: 6.5 EPSS 0.01%
Updated Mar 26, 2026
Linuxfoundation
Parameter Value
CVSS 6.5 (MEDIUM)
Affected Versions 2.0.0 — 2.12.5
Fixed In 2.11.15
Type CWE-287 (Improper Authentication), CWE-488
Vendor Linuxfoundation
Public PoC No

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance.

Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-287 Improper Authentication
CWE-488

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Linuxfoundation Nats-Server
cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
 2.0.0 2.11.15
Linuxfoundation Nats-Server
cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
 2.12.0 2.12.5

References 2

https://advisories.nats.io/CVE/secnote-2026-06.tx
security-advisories@github.com
https://github.com/nats-io/nats-server/security/advisories/GHSA-fcjp-h8cc-6879
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33249

Payload

4.3

CVE-2026-33248

Linuxfoundation

4.2

CVE-2026-33223

Linuxfoundation

5.4

CVE-2026-33222

Linuxfoundation

4.9

CVE-2026-33247

Linuxfoundation

5.3