VYPR
Low severity3.1NVD Advisory· Published Mar 30, 2026· Updated Apr 13, 2026

CVE-2026-32696

CVE-2026-32696

Description

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In NanoMQ version 0.24.6, after enabling auth.http_auth (HTTP authentication), when a client connects to the broker using MQTT CONNECT without providing username/password, and the configuration params uses the placeholders %u / %P (e.g., username="%u", password="%P"), the HTTP request construction phase enters auth_http.c:set_data(). This results in calling strlen() on a NULL pointer, causing a SIGSEGV crash. This crash can be triggered remotely, resulting in a denial of service. This issue has been patched in version 0.24.7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Emqx/Nanomq2 versions
    cpe:2.3:a:emqx:nanomq:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:emqx:nanomq:*:*:*:*:*:*:*:*range: <0.24.7
    • (no CPE)range: <=0.24.6

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.