6.5
CVE-2026-33215
- EPSS 0.24%
- Veröffentlicht 24.03.2026 21:16:28
- Zuletzt bearbeitet 26.03.2026 17:19:15
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
NATS is vulnerable to MQTT hijacking via Client ID
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linuxfoundation ≫ Nats-server Version >= 2.0.0 < 2.11.15
Linuxfoundation ≫ Nats-server Version >= 2.12.0 < 2.12.5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.148 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 3.9 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
|
| security-advisories@github.com | 6.5 | 2.2 | 4.2 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-488 Exposure of Data Element to Wrong Session
The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.
https://advisories.nats.io/CVE/secnote-2026-06.tx
https://github.com/nats-io/nats-server/security/advisories/GHSA-fcjp-h8cc-6879