Authentication Bypass Vulnerability in NATS-Server by NATS.io
CVE-2026-33216

8.6HIGH

Key Information:

Vendor

Nats-io

Status
Nats-server
Vendor
CVE Published:
25 March 2026

What is CVE-2026-33216?

NATS-Server, a high-performance messaging system, has a vulnerability that allows for the incorrect handling of MQTT passwords. In versions earlier than 2.11.15 and 2.12.6, these passwords were misclassified as non-authenticating identity statements and could be exposed through monitoring endpoints. To mitigate this risk, users are advised to secure monitoring endpoints effectively and avoid exposing them to untrusted networks.

Affected Version(s)

nats-server < 2.11.15 < 2.11.15

nats-server >= 2.12.0-RC.1, < 2.12.6 < 2.12.0-RC.1, 2.12.6

References

https://github.com/nats-io/nats-server/security/advisorie...
x_refsource_CONFIRM
https://github.com/nats-io/nats-server/commit/b5b63cfc35a...
x_refsource_MISC
https://advisories.nats.io/CVE/secnote-2026-05.txt
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.