CVE-2026-33216

Name of the Vulnerable Software and Affected Versions NATS-Server versions prior to 2.11.15 NATS-Server versions prior to 2.12.6

Description NATS-Server, a high-performance server for NATS.io, a cloud and edge native messaging system, contains an issue where MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints in MQTT deployments using usercodes and passwords. As a result, sensitive password information may be accessible through these endpoints. It is recommended to adequately secure monitoring endpoints and avoid exposing them to untrusted networks.

Recommendations Update NATS-Server to version 2.11.15 or later. Update NATS-Server to version 2.12.6 or later. Ensure monitoring endpoints are adequately secured. Avoid exposing the monitoring endpoint to the Internet or other untrusted network users.