CVE-2026-33217
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
3Description
### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server provides an MQTT client interface. ### Problem Description When using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. ### Affected Versions Any version before v2.12.6 or v2.11.15 ### Workarounds None.
Analysis
An access control list (ACL) bypass vulnerability exists in NATS.io nats-server that allows authenticated MQTT clients to bypass subject-based authorization controls. Affected versions include all nats-server releases before v2.12.6 and v2.11.15. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all NATS.io deployments and identify those with MQTT enabled and ACLs configured; assess whether any MQTT users have lower privilege levels. Within 7 days: Implement compensating controls listed below and disable MQTT protocol if not operationally critical. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today