CVE-2026-32696
Received Received - Intake
Null Pointer Dereference in NanoMQ MQTT Broker Causes DoS

Publication date: 2026-03-30

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In NanoMQ version 0.24.6, after enabling auth.http_auth (HTTP authentication), when a client connects to the broker using MQTT CONNECT without providing username/password, and the configuration params uses the placeholders %u / %P (e.g., username="%u", password="%P"), the HTTP request construction phase enters auth_http.c:set_data(). This results in calling strlen() on a NULL pointer, causing a SIGSEGV crash. This crash can be triggered remotely, resulting in a denial of service. This issue has been patched in version 0.24.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32696
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
emqx nanomq to 0.24.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in NanoMQ MQTT Broker causes a remote denial of service (DoS) due to a crash triggered by malformed authentication requests. It does not involve unauthorized data access, data leakage, or modification.

Since the issue results in availability impact only (denial of service) and does not compromise confidentiality or integrity, its direct effect on compliance with standards like GDPR or HIPAAβ€”which primarily focus on protecting personal data confidentiality and integrityβ€”is limited.

However, availability is also a component of many security frameworks, so prolonged or repeated DoS could indirectly affect compliance by disrupting service availability requirements.

Executive Summary

This vulnerability exists in NanoMQ MQTT Broker version 0.24.6 when HTTP authentication (auth.http_auth) is enabled. If a client connects without providing a username or password, and the configuration uses placeholders %u and %P for username and password respectively, the software attempts to calculate the length of a NULL pointer during HTTP request construction. This causes a segmentation fault (SIGSEGV) crash.

The crash occurs in the function auth_http.c:set_data(), leading to a denial of service condition that can be triggered remotely.

This issue was fixed in NanoMQ version 0.24.7.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS). An attacker can remotely cause the NanoMQ broker to crash by sending a specially crafted MQTT CONNECT request without username and password when HTTP authentication is enabled with certain configurations.

This crash disrupts the availability of the messaging service, potentially affecting any systems or applications relying on NanoMQ for edge messaging.

Mitigation Strategies

To mitigate this vulnerability, upgrade NanoMQ to version 0.24.7 or later, where the issue has been patched.

Additionally, avoid using the placeholders %u and %P in the HTTP authentication configuration when clients may connect without providing username/password.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32696. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart