CVE-2026-33217

NATS allows MQTT clients to bypass ACL checks

Description

A vulnerability categorized as critical has been discovered in nats-io nats-server up to 2.11.14/2.12.5. Affected by this vulnerability is an unknown functionality. Executing a manipulation can lead to incorrect authorization. This vulnerability is registered as CVE-2026-33217. It is possible to launch the attack remotely.

Affected Products

Vendor	Product	Versions
go	github.com/nats-io/nats-server/v2	go/github.com/nats-io/nats-server/v2: < 2.11.15, go/github.com/nats-io/nats-server/v2: >= 2.12.0-RC.1, < 2.12.6, go/github.com/nats-io/nats-server/v2: <= 2.11.14, go/github.com/nats-io/nats-server/v2: <= 2.12.5

References

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-33217 | nats-io nats-server up to 2.11.14/2.12.5 authorization

→ No new info (linked only)

CVSS 3.17.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-863

Published3/24/2026

Last enriched2h agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Version History

Last enriched 2h ago

v2Tier C2h ago

Updated severity to CRITICAL, added affected versions up to 2.11.14 and 2.12.5, and noted that no exploit is available.

descriptionaffectedVersionsseverityactivelyExploitedpatchAvailable

via VulDB

v110h ago

Initial creation