NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints.
Any version before v2.12.6 or v2.11.15
Ensure monitoring end-points are adequately secured.
Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.
| Score | Percentile |
|---|---|
| 0.04% | 13.37% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.6 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-v722-jcv5-w7mc ↗ |
| CVE | CVE-2026-33216 ↗ |
| CWE id | Name |
|---|---|
| CWE-256 | Plaintext Storage of a Password |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/nats-io/nats-server/v2 | < 2.11.15 | 2.11.15 | — |
| go | github.com/nats-io/nats-server/v2 | >= 2.12.0-RC.1, < 2.12.6 | 2.12.6 | — |
| go | github.com/nats-io/nats-server | > 0 | — | — |