CVE-2026-33215
Received Received - Intake
MQTT Client ID Hijacking in NATS-Server Enables Session Takeover

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33215
EUVD
EUVD-2026-15017
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation nats-server From 2.0.0 (inc) to 2.11.15 (exc)
linuxfoundation nats-server From 2.12.0 (inc) to 2.12.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-488 The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The primary mitigation step is to upgrade your nats-server to a fixed version.

  • Upgrade to nats-server version 2.11.15 or later, or 2.12.6 or later.

No known workarounds are available, so patching is the only effective immediate action.

Executive Summary

CVE-2026-33215 is a moderate severity vulnerability affecting the nats-server component of NATS.io, specifically its MQTT client interface. The vulnerability allows an attacker to hijack MQTT sessions and messages by exploiting weaknesses in how the MQTT Client ID is handled.

This issue exists in nats-server versions prior to 2.11.15 and 2.12.6 and can be exploited remotely over the network without requiring any privileges or user interaction, although the attack complexity is high.

Impact Analysis

The vulnerability can lead to unauthorized hijacking of MQTT sessions and messages, resulting in a high confidentiality impact where sensitive data can be accessed by attackers.

Integrity of the data is not affected, but availability impact is low. Since the attack requires no privileges and can be performed remotely, it poses a significant risk to the confidentiality of communications handled by the nats-server MQTT interface.

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects the MQTT client interface of nats-server versions prior to 2.11.15 and 2.12.6. Detection involves identifying if your nats-server instance is running a vulnerable version.

You can check the version of nats-server running on your system by executing the following command:

  • nats-server -version

If the version is earlier than 2.11.15 or 2.12.6, your system is vulnerable.

Additionally, monitoring network traffic for suspicious MQTT Client ID activity or session hijacking attempts may help detect exploitation attempts, but no specific detection commands or tools are provided.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33215. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart