Which versions of Nanomq are affected by EUVD-2026-23939?

NanoMQ MQTT Broker versions prior to 0.24.11 contain a remotely exploitable heap buffer overflow in the REST API that allows unauthenticated attackers to cause denial of service.. A patch is available.

How to fix or mitigate EUVD-2026-23939?

Within 24 hours: Inventory all NanoMQ deployments and identify instances running versions prior to 0.24.11; assess criticality of affected systems. Within 7 days: Apply vendor-released patch version 0.24.11 to all NanoMQ instances; prioritize production environments and systems with external network exposure. Within 30 days: Validate patch deployment across all environments; review REST API access controls and implement network segmentation to restrict unauthenticated API access where feasible.

Nanomq EUVD-2026-23939

Q: What is the CVSS score of EUVD-2026-23939?

EUVD-2026-23939 has a CVSS 4.0 base score of 7.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

| CVE-2026-32135 HIGH

Heap-based Buffer Overflow (CWE-122)

2026-04-20 GitHub_M

Heap Overflow Buffer Overflow Nanomq

7.7

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Apr 22, 2026 - 17:32 nvd

Patch available

Re-analysis Queued

Apr 21, 2026 - 16:22 vuln.today

cvss_changed

Analysis Generated

Apr 20, 2026 - 20:33 vuln.today

Patch available

Apr 20, 2026 - 20:01 EUVD

EUVD ID Assigned

Apr 20, 2026 - 20:00 euvd

EUVD-2026-23939

Analysis Generated

Apr 20, 2026 - 20:00 vuln.today

CVE Published

Apr 20, 2026 - 19:23 nvd

HIGH 7.7

DescriptionGitHub Advisory

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.11 have a remotely triggerable heap buffer overflow in the uri_param_parse function of NanoMQ's REST API. The vulnerability occurs due to an off-by-one error when allocating memory for query parameter keys and values, allowing an attacker to write a null byte beyond the allocated buffer. This can be triggered via a crafted HTTP request. Version 0.24.11 patches the issue.

AnalysisAI

Heap buffer overflow in NanoMQ MQTT Broker's REST API allows remote unauthenticated attackers to trigger denial of service via crafted HTTP requests. The off-by-one error in uri_param_parse function (CWE-122) affects all versions prior to 0.24.11. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify NanoMQ REST API endpoint

Delivery

Craft HTTP request with oversized query parameters

Exploit

Trigger off-by-one overflow in uri_param_parse

Execution

Corrupt heap metadata

Impact

Crash broker process (denial of service)