8.6

CVE-2026-33216

EPSS 0.05%
Veröffentlicht 25.03.2026 19:41:55
Zuletzt bearbeitet 26.03.2026 17:14:04
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

NATS has MQTT plaintext password disclosure

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linuxfoundation ≫ Nats-server Version < 2.11.15

Linuxfoundation ≫ Nats-server Version >= 2.12.0 < 2.12.6

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.146

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	8.6	3.9	4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE-256 Plaintext Storage of a Password

Storing a password in plaintext may result in a system compromise.

https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc

Vendor Advisory

Mitigation

https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099

Patch

https://advisories.nats.io/CVE/secnote-2026-05.txt

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-33216

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33216

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33216

EUVD