CVE-2026-33217 (GCVE-0-2026-33217)

Vulnerability from cvelistv5 – Published: 2026-03-25 19:43 – Updated: 2026-06-30 12:07
VLAI
Title
NATS allows MQTT clients to bypass ACL checks
Summary
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-863 - Incorrect Authorization
  • CWE-425 - Direct Request ('Forced Browsing')
Assigner
Impacted products
Vendor Product Version
nats-io nats-server Affected: < 2.11.15
Affected: >= 2.12.0-RC.1, < 2.12.6
Create a notification for this product.
Red Hat Multicluster Global Hub 1.4.5     cpe:/a:redhat:multicluster_globalhub:1.4::el9
Create a notification for this product.
Red Hat Multicluster Global Hub 1.5.4     cpe:/a:redhat:multicluster_globalhub:1.5::el9
Create a notification for this product.
Red Hat Multicluster Global Hub 1.6.2     cpe:/a:redhat:multicluster_globalhub:1.6::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33217",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T20:07:59.832372Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T20:08:22.861Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:multicluster_globalhub:1.4::el9"
            ],
            "defaultStatus": "affected",
            "product": "Multicluster Global Hub 1.4.5",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:multicluster_globalhub:1.5::el9"
            ],
            "defaultStatus": "affected",
            "product": "Multicluster Global Hub 1.5.4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:multicluster_globalhub:1.6::el9"
            ],
            "defaultStatus": "affected",
            "product": "Multicluster Global Hub 1.6.2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift:4"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat OpenShift Container Platform 4",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-03-25T19:43:40.969Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in NATS-Server. When Access Control Lists (ACLs) were configured for message subjects, these controls were not correctly applied within the `$MQTT.\u003e` namespace. This oversight allows MQTT clients to bypass the intended ACL checks, potentially granting unauthorized access to sensitive message subjects. This vulnerability could lead to information disclosure or unauthorized message manipulation."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-425",
                "description": "Direct Request (\u0027Forced Browsing\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:07:36.744Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-33217"
          },
          {
            "name": "RHBZ#2451446",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451446"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33217.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:22347"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:21769"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:23345"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:22347: Multicluster Global Hub 1.4.5"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:21769: Multicluster Global Hub 1.5.4"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:23345: Multicluster Global Hub 1.6.2"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-03-25T20:01:47.815Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-03-25T19:43:40.969Z",
            "value": "Made public."
          }
        ],
        "title": "nats-server: github.com/nats-io/nats-server: NATS-Server: Access control bypass via unapplied ACLs in MQTT namespace",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nats-server",
          "vendor": "nats-io",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.11.15"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.12.0-RC.1, \u003c 2.12.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.\u003e` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T19:49:48.934Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5"
        },
        {
          "name": "https://advisories.nats.io/CVE/secnote-2026-07.txt",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://advisories.nats.io/CVE/secnote-2026-07.txt"
        }
      ],
      "source": {
        "advisory": "GHSA-jxxm-27vp-c3m5",
        "discovery": "UNKNOWN"
      },
      "title": "NATS allows MQTT clients to bypass ACL checks"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33217",
    "datePublished": "2026-03-25T19:43:40.969Z",
    "dateReserved": "2026-03-17T23:23:58.314Z",
    "dateUpdated": "2026-06-30T12:07:36.744Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33217",
      "date": "2026-07-05",
      "epss": "0.00259",
      "percentile": "0.17303"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33217\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-25T20:16:32.473\",\"lastModified\":\"2026-06-30T03:18:38.350\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.\u003e` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.\"},{\"lang\":\"es\",\"value\":\"NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajer\u00eda nativo de la nube y del borde. Antes de las versiones 2.11.15 y 2.12.6, al usar ACLs en los temas de mensajes, estas ACLs no se aplicaban en el espacio de nombres \u0027$MQTT.\u0026gt;\u0027, permitiendo a los clientes MQTT eludir las comprobaciones de ACL para los temas MQTT. Las versiones 2.11.15 y 2.12.6 contienen una correcci\u00f3n. No se conocen soluciones alternativas disponibles.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"nats-io\",\"product\":\"nats-server\",\"versions\":[{\"version\":\"\u003c 2.11.15\",\"status\":\"affected\"},{\"version\":\"\u003e= 2.12.0-RC.1, \u003c 2.12.6\",\"status\":\"affected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Global Hub 1.4.5\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_globalhub:1.4::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Global Hub 1.5.4\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_globalhub:1.5::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Multicluster Global Hub 1.6.2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:multicluster_globalhub:1.6::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:openshift:4\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-03-25T20:07:59.832372Z\",\"id\":\"CVE-2026-33217\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-425\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.11.15\",\"matchCriteriaId\":\"13EA156E-2759-4586-A22E-CDEAAD4D610C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.12.0\",\"versionEndExcluding\":\"2.12.6\",\"matchCriteriaId\":\"4E347CFB-C56D-4FD8-8DD8-3D34C08D7154\"}]}]}],\"references\":[{\"url\":\"https://advisories.nats.io/CVE/secnote-2026-07.txt\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:21769\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:22347\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:23345\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-33217\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2451446\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33217.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33217\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-25T20:07:59.832372Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-25T20:08:06.939Z\"}}], \"cna\": {\"title\": \"NATS allows MQTT clients to bypass ACL checks\", \"source\": {\"advisory\": \"GHSA-jxxm-27vp-c3m5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"nats-io\", \"product\": \"nats-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.11.15\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.12.0-RC.1, \u003c 2.12.6\"}]}], \"references\": [{\"url\": \"https://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5\", \"name\": \"https://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://advisories.nats.io/CVE/secnote-2026-07.txt\", \"name\": \"https://advisories.nats.io/CVE/secnote-2026-07.txt\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.\u003e` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-25T19:49:48.934Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33217\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-25T20:08:22.861Z\", \"dateReserved\": \"2026-03-17T23:23:58.314Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-25T19:43:40.969Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…