Skip to main content

Red Hat EUVDEUVD-2026-15017

| CVE-2026-33215 MEDIUM
Improper Authentication (CWE-287)
2026-03-24 GitHub_M GHSA-fcjp-h8cc-6879
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 21:16 euvd
EUVD-2026-15017
Analysis Generated
Mar 24, 2026 - 21:16 vuln.today
CVE Published
Mar 24, 2026 - 20:55 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.

AnalysisAI

NATS-Server versions prior to 2.11.15 and 2.12.5 contain an authentication bypass vulnerability in the MQTT client interface that allows attackers to hijack sessions and messages through malicious MQTT Client ID manipulation. The vulnerability affects all versions of nats-server using the affected version ranges and has a CVSS score of 6.5 (medium-high severity) due to the combination of high confidentiality impact and low availability impact. No known public exploits or active exploitation in the wild has been confirmed, but the authentication bypass nature (CWE-287) and patch availability indicate this is a practical, exploitable issue that requires immediate attention for organizations running affected versions.

Technical ContextAI

NATS-Server provides an MQTT client interface as part of its cloud and edge-native messaging system. The vulnerability stems from improper authentication and identity validation of MQTT clients, specifically related to how Client IDs are processed and validated during session establishment. The root cause falls under CWE-287 (Improper Authentication), indicating that the server fails to properly verify the identity of MQTT clients before granting session access or allowing message manipulation. An attacker can exploit this by crafting malicious MQTT Client ID values that either impersonate legitimate clients or bypass authentication checks entirely, leading to unauthorized session hijacking and message access. The issue is specific to the MQTT protocol implementation within NATS-Server, not the core NATS protocol itself.

RemediationAI

Immediately upgrade NATS-Server to version 2.11.15 or later if running the 2.11.x branch, or to version 2.12.5 or later if running the 2.12.x branch. Consult the official NATS-IO security advisory at https://advisories.nats.io/CVE/secnote-2026-06.tx and GitHub advisory at https://github.com/nats-io/nats-server/security/advisories/GHSA-fcjp-h8cc-6879 for detailed upgrade instructions and release notes. Since no workarounds are available, patching is the only mitigation path. For organizations with delayed patching capability, implement network segmentation to restrict MQTT client access to trusted internal networks only, disable the MQTT interface entirely if not required, and monitor MQTT connection logs for anomalous Client ID patterns or repeated connection attempts from unexpected sources.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

EUVD-2026-15017 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy