Denial of Service Vulnerability in NanoMQ MQTT Broker by NanoMQ
CVE-2026-32696

3.1LOW

Key Information:

Vendor

NanoMQ

Status
NanoMQ
Vendor
CVE Published:
30 March 2026

What is CVE-2026-32696?

In NanoMQ version 0.24.6, a vulnerability exists when HTTP authentication is enabled. If a client connects to the broker without providing a username and password, and certain configuration parameters use placeholder values, a null pointer dereference occurs during the HTTP request processing. This leads to a segmentation fault (SIGSEGV), resulting in a crash of the broker and making it susceptible to denial of service attacks. This issue has been remediated in version 0.24.7.

Affected Version(s)

nanomq >= 0.24.6, < 0.24.7

References

https://github.com/nanomq/nanomq/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/nanomq/NanoNNG/pull/1394
x_refsource_MISC
https://github.com/nanomq/NanoNNG/commit/c20aa27e5290bb48...
x_refsource_MISC

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.