{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33216", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.314Z", "datePublished": "2026-03-25T19:41:55.670Z", "dateUpdated": "2026-03-25T19:47:49.517Z"}, "containers": {"cna": {"title": "NATS has MQTT plaintext password disclosure", "problemTypes": [{"descriptions": [{"cweId": "CWE-256", "lang": "en", "description": "CWE-256: Plaintext Storage of a Password", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc"}, {"name": "https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099", "tags": ["x_refsource_MISC"], "url": "https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-05.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-05.txt"}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"version": "< 2.11.15", "status": "affected"}, {"version": ">= 2.12.0-RC.1, < 2.12.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T19:47:49.517Z"}, "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users."}], "source": {"advisory": "GHSA-v722-jcv5-w7mc", "discovery": "UNKNOWN"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C", "versionEndExcluding": "2.11.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154", "versionEndExcluding": "2.12.6", "versionStartIncluding": "2.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users."}], "id": "CVE-2026-33216", "lastModified": "2026-03-26T17:14:04.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T20:16:32.320", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://advisories.nats.io/CVE/secnote-2026-05.txt"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-256"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "nats-server: github.com/nats-io/nats-server: NATS-Server: Information disclosure of MQTT passwords through monitoring endpoints", "id": "2451448", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451448"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-213", "details": ["A flaw was found in NATS-Server, a high-performance server for the NATS.io messaging system. For MQTT deployments utilizing usercodes and passwords, the MQTT passwords were mistakenly categorized as non-authenticating identity statements (JSON Web Tokens - JWT). This misclassification leads to the exposure of these passwords through monitoring endpoints, enabling an attacker with access to these endpoints to gain sensitive information."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33216", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/oc-mirror-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-25T19:41:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33216\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33216\nhttps://advisories.nats.io/CVE/secnote-2026-05.txt\nhttps://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099\nhttps://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.15)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.12.0-RC.1,2.12.6)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "nats-server", "source": "cna", "vendor": "nats-io"}, "product": "nats_server", "vendor": "nats"}], "analysis": {"en": {"generated_at": "2026-03-26T18:55:53.804060+00:00", "value": {"mitigation_remediation": ["Apply the latest version of NATS\u2011Server (2.11.15 or newer, or 2.12.6 or newer).", "Restrict access to the monitoring endpoints using firewall rules or network segmentation."], "summary": {"action": "Patch immediately", "impact": "Plaintext password disclosure"}, "threat_synthesis": {"affected_systems": "Affected by the NATS.io community in the nats\u2011io:nats\u2011server product. Versions prior to 2.11.15 of the 2.11.x series and prior to 2.12.6 of the 2.12.x series are impacted. The fix is incorporated starting at 2.11.15 and 2.12.6.", "description_and_impact": "The vulnerability in NATS\u2011Server allows an attacker to read MQTT passwords in clear text. Passwords are mistakenly exposed as non\u2011authenticating identity statements and can be retrieved through monitoring endpoints. This flaw can compromise user credentials, leading to unauthorized access to MQTT topics and possible downstream systems, thereby violating confidentiality.", "risk_and_exploitability": "The CVSS score of 8.6 indicates a high severity, while the EPSS value of less than 1\u202f% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, but it remains a significant risk if monitoring endpoints are reachable. Attackers gain read access through the monitoring API when it is improperly exposed, and the exploit path requires network connectivity to that endpoint. Once compromised, an attacker can obtain stored passwords for MQTT users."}}}}, "created": "2026-03-25T21:46:23.121322+00:00", "updated": "2026-03-27T09:30:14.621412+00:00", "vendors": ["nats", "nats$PRODUCT$nats_server"]}