PatchSiren cyber security CVE debrief
CVE-2026-33217 nats-io CVE debrief
CVE-2026-33217 is a high-severity vulnerability in NATS-Server, a cloud and edge native messaging system. The vulnerability allows MQTT clients to bypass ACL checks for MQTT subjects when using ACLs on message subjects in the `$MQTT.> namespace. This issue was addressed in versions 2.11.15 and 2.12.6 of NATS-Server. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.1, indicating a high severity. There are no known workarounds available for this vulnerability.
- Vendor
- nats-io
- Product
- nats-server
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-25
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-25
- Advisory updated
- 2026-06-30
Who should care
Security teams and administrators responsible for NATS-Server installations should be aware of this vulnerability. Given the high CVSS score of 7.1, this vulnerability should be prioritized for patching. Organizations using NATS-Server versions prior to 2.11.15 or 2.12.6 are potentially affected.
Technical summary
The vulnerability in NATS-Server arises from the improper application of Access Control Lists (ACLs) on message subjects in the `$MQTT.> namespace. Specifically, ACL checks are bypassed for MQTT subjects, allowing unauthorized access. This issue is resolved in NATS-Server versions 2.11.15 and 2.12.6. The vulnerability is characterized by a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N, indicating a high severity. The weakness associated with this vulnerability is CWE-863 (Incorrect Authorization) and CWE-425 (Unprotected Storage of Credentials).
Defensive priority
High. Given the CVSS score of 7.1 and the potential for unauthorized access, this vulnerability should be prioritized for remediation.
Recommended defensive actions
- Upgrade NATS-Server to version 2.11.15 or 2.12.6, or later.
- Review and update ACL configurations for message subjects in the `$MQTT.> namespace.
- Monitor NATS-Server installations for potential exploitation attempts.
- Implement compensating controls, such as additional authentication or logging, if immediate patching is not feasible.
- Track vendor advisories for further information and updates.
Evidence notes
The CVE-2026-33217 vulnerability was publicly disclosed on March 25, 2026, and the CVE record was last modified on June 30, 2026. The vulnerability affects NATS-Server versions prior to 2.11.15 and 2.12.6. The CVSS score of 7.1 indicates a high severity. There are no known workarounds for this vulnerability.
Official resources
-
CVE-2026-33217 CVE record
CVE.org
-
CVE-2026-33217 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.