CVE-2026-33216
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Plaintext MQTT passwords readable over the network via typically unauthenticated monitoring endpoints, so AV:N/AC:L/PR:N/UI:N with C:H and no integrity or availability impact.
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
10DescriptionNVD
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
Problem Description
For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
Ensure monitoring end-points are adequately secured.
Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.
AnalysisAI
Credential disclosure in NATS Server (nats-server) before v2.11.15 and v2.12.6 exposes MQTT client passwords through the server's HTTP monitoring endpoints. When MQTT clients authenticate with username/password, the server mistakenly stores the password in the field reserved for a non-authenticating JWT identity statement, which is then surfaced verbatim in monitoring data such as connection listings. There is no public exploit identified at time of analysis and SSVC marks exploitation as none, the EPSS score is very low (0.03%), and a vendor patch is available.
Same weakness CWE-256 – Plaintext Storage of a Password
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today