CVE-2026-33217
Received Received - Intake
ACL Bypass in NATS-Server MQTT Namespace Allows Unauthorized Access

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33217
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation nats-server From 2.12.0 (inc) to 2.12.6 (exc)
linuxfoundation nats-server to 2.11.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33217 is a security vulnerability in the nats-server component of NATS.io, a high-performance messaging system used in cloud, on-premise, IoT, and edge computing environments.

The vulnerability occurs because Access Control Lists (ACLs) that are supposed to restrict access to message subjects do not work properly within the $MQTT.> namespace. This means MQTT clients can bypass these ACL checks and gain unauthorized access to MQTT message subjects.

This flaw affects all nats-server versions prior to 2.11.15 and 2.12.6, where the issue was fixed. There are no known workarounds.

Impact Analysis

This vulnerability allows attackers with low privileges to remotely bypass ACLs in the MQTT namespace.

As a result, unauthorized users could access or publish messages they should not be able to, leading to potential unauthorized modification of data (high integrity impact).

While the confidentiality impact is low and availability is not affected, the integrity compromise could lead to significant security risks in systems relying on NATS for messaging.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your nats-server to version 2.11.15 or 2.12.6 or later, as these versions contain the fix for the ACL bypass issue in the $MQTT.> namespace.

No known workarounds are available, so upgrading is the primary and immediate step to secure your system.

Compliance Impact

This vulnerability allows MQTT clients to bypass Access Control Lists (ACLs) within the $MQTT.> namespace, potentially enabling unauthorized modification of data.

Such unauthorized data integrity compromises could impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of data integrity.

However, the vulnerability has a low confidentiality impact and no availability impact, meaning data exposure and service disruption risks are limited.

Organizations using affected versions of nats-server should update to fixed versions to maintain compliance with these regulations by ensuring proper enforcement of access controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33217. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart