216.73.217.50

CVE-2026-33216

· Published 25/03/2026 20:16 · Modified 26/03/2026 17:14

Labels: CVE-2026-33216 2026-03-25CVE-2026-33216CWE-256[email protected]

Essential information

Published
25/03/2026 20:16
Modified
26/03/2026 17:14
Author
Creator
CVSS
8.6 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS metrics

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.

NVD status

Status
Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
linuxfoundation / nats-server cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
linuxfoundation / nats-server cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*

References