PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33217 nats-io CVE debrief

CVE-2026-33217 is a high-severity vulnerability in NATS-Server, a cloud and edge native messaging system. The vulnerability allows MQTT clients to bypass ACL checks for MQTT subjects when using ACLs on message subjects in the `$MQTT.> namespace. This issue was addressed in versions 2.11.15 and 2.12.6 of NATS-Server. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.1, indicating a high severity. There are no known workarounds available for this vulnerability.

Vendor
nats-io
Product
nats-server
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-06-30
Advisory published
2026-03-25
Advisory updated
2026-06-30

Who should care

Security teams and administrators responsible for NATS-Server installations should be aware of this vulnerability. Given the high CVSS score of 7.1, this vulnerability should be prioritized for patching. Organizations using NATS-Server versions prior to 2.11.15 or 2.12.6 are potentially affected.

Technical summary

The vulnerability in NATS-Server arises from the improper application of Access Control Lists (ACLs) on message subjects in the `$MQTT.> namespace. Specifically, ACL checks are bypassed for MQTT subjects, allowing unauthorized access. This issue is resolved in NATS-Server versions 2.11.15 and 2.12.6. The vulnerability is characterized by a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N, indicating a high severity. The weakness associated with this vulnerability is CWE-863 (Incorrect Authorization) and CWE-425 (Unprotected Storage of Credentials).

Defensive priority

High. Given the CVSS score of 7.1 and the potential for unauthorized access, this vulnerability should be prioritized for remediation.

Recommended defensive actions

  • Upgrade NATS-Server to version 2.11.15 or 2.12.6, or later.
  • Review and update ACL configurations for message subjects in the `$MQTT.> namespace.
  • Monitor NATS-Server installations for potential exploitation attempts.
  • Implement compensating controls, such as additional authentication or logging, if immediate patching is not feasible.
  • Track vendor advisories for further information and updates.

Evidence notes

The CVE-2026-33217 vulnerability was publicly disclosed on March 25, 2026, and the CVE record was last modified on June 30, 2026. The vulnerability affects NATS-Server versions prior to 2.11.15 and 2.12.6. The CVSS score of 7.1 indicates a high severity. There are no known workarounds for this vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.