VYPR
Moderate severityNVD Advisory· Published Mar 24, 2026· Updated Mar 25, 2026

NATS is vulnerable to MQTT hijacking via Client ID

CVE-2026-33215

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/nats-io/nats-server/v2Go
< 2.11.152.11.15
github.com/nats-io/nats-server/v2Go
>= 2.12.0-RC.1, < 2.12.62.12.6

Affected products

38

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.