CVE-2026-33217
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionNVD
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
Problem Description
When using ACLs on message subjects, these ACLs were not applied in the $MQTT.> namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
AnalysisAI
An access control list (ACL) bypass vulnerability exists in NATS.io nats-server that allows authenticated MQTT clients to bypass subject-based authorization controls. Affected versions include all nats-server releases before v2.12.6 and v2.11.15. When ACLs are configured to restrict access to message subjects, these controls are not enforced within the $MQTT.> namespace, enabling low-privileged MQTT users to publish or subscribe to subjects they should not have access to.
Technical ContextAI
NATS.io is a high-performance publish-subscribe messaging system written in Go (pkg:go/github.com_nats-io_nats-server_v2) that supports multiple client protocols including native NATS and MQTT. The vulnerability stems from CWE-863 (Incorrect Authorization), where the authorization logic fails to apply subject-based ACL rules when messages are accessed through the MQTT protocol interface using the $MQTT.> namespace prefix. This namespace isolation issue creates a parallel path for MQTT clients to access the same underlying message subjects that would be properly protected when accessed via native NATS clients, effectively creating an authorization bypass through protocol selection.
RemediationAI
Upgrade nats-server to version v2.12.6 or later if running the v2.12.x series, or to version v2.11.15 or later if running the v2.11.x series, as documented in the GitHub security advisory at https://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5 and NATS advisory https://advisories.nats.io/CVE/secnote-2026-07.txt. The vendor has indicated no workarounds are available, making patching the only effective mitigation. Organizations unable to immediately patch should consider temporarily disabling MQTT protocol support if not business-critical, or implementing network-level access controls to restrict MQTT client connections to trusted sources until the upgrade can be completed.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today