8.6

CVE-2026-33216

NATS has MQTT plaintext password disclosure

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxfoundationNats-server Version < 2.11.15
LinuxfoundationNats-server Version >= 2.12.0 < 2.12.6
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.37% 0.284
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com 8.6 3.9 4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 8.6 3.9 4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE-213 Exposure of Sensitive Information Due to Incompatible Policies

The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.

CWE-256 Plaintext Storage of a Password

The product stores a password in plaintext within resources such as memory or files.

https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc
Vendor Advisory
Mitigation
https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099
Patch
https://advisories.nats.io/CVE/secnote-2026-05.txt
Vendor Advisory
Mitigation
https://access.redhat.com/errata/RHSA-2026:21769
https://access.redhat.com/errata/RHSA-2026:22347
https://access.redhat.com/errata/RHSA-2026:23345
https://access.redhat.com/security/cve/CVE-2026-33216
https://bugzilla.redhat.com/show_bug.cgi?id=2451448
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33216.json