CVE-2026-32696

Name of the Vulnerable Software and Affected Versions NanoMQ versions prior to 0.24.7

Description NanoMQ MQTT Broker is an Edge Messaging Platform. When HTTP authentication is enabled (auth.http auth) in NanoMQ version 0.24.6, a client connecting via MQTT CONNECT without username/password, and with configuration parameters using placeholders %u and %P (e.g., username="%u", password="%P"), triggers a crash. This occurs because the set data() function in auth http.c calls strlen() on a NULL pointer, resulting in a SIGSEGV crash. This crash can be triggered remotely, leading to a denial of service.

Recommendations Upgrade to NanoMQ version 0.24.7 or later.