anonhaven
Ad

CVE-2026-33217

HIGH CVSS 3.1: 6.5 EPSS 0.03%
Updated Mar 26, 2026
Linuxfoundation
Parameter Value
CVSS 6.5 (HIGH)
Affected Versions 2.12.0 — 2.12.6
Fixed In 2.11.15
Type CWE-863 (Incorrect Authorization)
Vendor Linuxfoundation
Public PoC No

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix.

No known workarounds are available.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-863 Incorrect Authorization

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Linuxfoundation Nats-Server
cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
 2.11.15
Linuxfoundation Nats-Server
cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
 2.12.0 2.12.6

References 2

https://advisories.nats.io/CVE/secnote-2026-07.txt
security-advisories@github.com
https://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-27489

Linuxfoundation

8.7

CVE-2026-33015

Everest

5.2

CVE-2026-33014

Everest

5.2

CVE-2026-33009

Everest

6.5

CVE-2026-29044

Everest

6.5