CVE-2026-33216

NATS has MQTT plaintext password disclosure

Assigner: GitHub_M
Reserved: 17.03.2026 Published: 25.03.2026 Updated: 25.03.2026

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS Score: 8.6

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	nats-io
Product	nats-server
Versions	Version < 2.11.15 is affected Version >= 2.12.0-RC.1, < 2.12.6 is affected

Vendor

nats-io

Product

nats-server

Versions

Version < 2.11.15 is affected
Version >= 2.12.0-RC.1, < 2.12.6 is affected

References

Problem Types

CWE-256: Plaintext Storage of a Password CWE

CVE-2026-33216 PUBLISHED

NATS has MQTT plaintext password disclosure

Metrics

Product Status

References

Problem Types