CVE-2026-33217

CVSS v3.1

7.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Name of the Vulnerable Software and Affected Versions NATS-Server versions prior to 2.11.15 NATS-Server versions prior to 2.12.6

Description NATS-Server is a high-performance server for NATS.io, a cloud and edge native messaging system. When using Access Control Lists (ACLs) on message subjects, these ACLs were not applied in the $MQTT.> namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. This issue affects the MQTT client interface provided by nats-server. No known workarounds are available.

Recommendations Update to NATS-Server version 2.11.15 or later. Update to NATS-Server version 2.12.6 or later.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

BIT-NATS-2026-33217

CVE-2026-33217

GHSA-JXXM-27VP-C3M5

GO-2026-4834

SUSE-SU-2026:1135-1

Affected Products

Nats Server

CVE-2026-33217

Weakness Enumeration

Related Identifiers

Affected Products

References · 156