Skip to main content

CVE-2026-33217

MEDIUM
Incorrect Authorization (CWE-863)
2026-03-24 https://github.com/nats-io/nats-server
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Red Hat
8.1 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Severity Changed
Jun 30, 2026 - 03:24 NVD
HIGH MEDIUM
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.1 (HIGH) 6.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 24, 2026 - 21:46 vuln.today
CVE Published
Mar 24, 2026 - 21:44 nvd
HIGH 7.1

DescriptionNVD

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

When using ACLs on message subjects, these ACLs were not applied in the $MQTT.> namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

AnalysisAI

An access control list (ACL) bypass vulnerability exists in NATS.io nats-server that allows authenticated MQTT clients to bypass subject-based authorization controls. Affected versions include all nats-server releases before v2.12.6 and v2.11.15. When ACLs are configured to restrict access to message subjects, these controls are not enforced within the $MQTT.> namespace, enabling low-privileged MQTT users to publish or subscribe to subjects they should not have access to.

Technical ContextAI

NATS.io is a high-performance publish-subscribe messaging system written in Go (pkg:go/github.com_nats-io_nats-server_v2) that supports multiple client protocols including native NATS and MQTT. The vulnerability stems from CWE-863 (Incorrect Authorization), where the authorization logic fails to apply subject-based ACL rules when messages are accessed through the MQTT protocol interface using the $MQTT.> namespace prefix. This namespace isolation issue creates a parallel path for MQTT clients to access the same underlying message subjects that would be properly protected when accessed via native NATS clients, effectively creating an authorization bypass through protocol selection.

RemediationAI

Upgrade nats-server to version v2.12.6 or later if running the v2.12.x series, or to version v2.11.15 or later if running the v2.11.x series, as documented in the GitHub security advisory at https://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5 and NATS advisory https://advisories.nats.io/CVE/secnote-2026-07.txt. The vendor has indicated no workarounds are available, making patching the only effective mitigation. Organizations unable to immediately patch should consider temporarily disabling MQTT protocol support if not business-critical, or implementing network-level access controls to restrict MQTT client connections to trusted sources until the upgrade can be completed.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33217 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy