Plataforma
go
Componente
github.com/nats-io/nats-server
Corregido en
2.11.16
2.12.1
2.11.15
CVE-2026-33215 describes a vulnerability in NATS Server, specifically related to MQTT connection hijacking. This allows an attacker to potentially take control of MQTT clients by exploiting weaknesses in how the server handles Client IDs. The vulnerability impacts versions of NATS Server before 2.11.15, and a fix is available in version 2.11.15.
The vulnerability lies in how NATS Server handles Client IDs within MQTT connections. An attacker can craft malicious MQTT messages with specific Client IDs to hijack existing connections. Successful exploitation could allow an attacker to impersonate legitimate MQTT clients, subscribe to their topics, publish messages as them, and potentially gain unauthorized access to sensitive data or control over devices connected to the NATS server. The impact is particularly concerning in IoT deployments and other scenarios where MQTT is used for critical communication.
CVE-2026-33215 was publicly disclosed on 2026-03-26. Currently, there are no publicly available proof-of-concept exploits. The KEV status is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Organizations utilizing NATS Server for MQTT communication, particularly those in IoT deployments or those relying on MQTT for critical control systems, are at risk. Environments with legacy NATS Server installations or those that have not implemented robust Client ID validation practices are especially vulnerable.
• linux / server:
journalctl -u nats-server -f | grep 'Client ID hijacking'• generic web:
curl -I http://<nats_server_ip>/ | grep 'Server: nats-server/2.11.14' #Check versiondisclosure
Estado del Exploit
EPSS
0.01% (3% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-33215 is to upgrade NATS Server to version 2.11.15 or later. This version includes a fix that addresses the Client ID handling vulnerability. If immediate upgrading is not possible, consider implementing stricter Client ID validation rules within your MQTT client applications to prevent the use of predictable or easily guessable Client IDs. Additionally, review your NATS server configuration to ensure that only authorized clients are allowed to connect. After upgrading, verify the fix by attempting to establish an MQTT connection with a manipulated Client ID and confirming that the connection is rejected.
Actualice NATS-Server a la versión 2.11.15 o superior, o a la versión 2.12.6 o superior. Esto corrige la vulnerabilidad de secuestro de sesiones y mensajes a través del Client ID de MQTT.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-33215 is a medium severity vulnerability in NATS Server affecting versions before 2.11.15. It allows an attacker to hijack MQTT connections by manipulating Client IDs, potentially gaining unauthorized access.
You are affected if you are running NATS Server versions prior to 2.11.15 and utilize MQTT communication. Assess your deployment and upgrade as soon as possible.
Upgrade NATS Server to version 2.11.15 or later to address the vulnerability. Implement stricter Client ID validation in your MQTT clients as an interim measure.
Currently, there are no publicly known active exploitation campaigns for CVE-2026-33215, but continuous monitoring is recommended.
Refer to the official NATS Server security advisories on the NATS website or GitHub repository for detailed information and updates regarding CVE-2026-33215.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo go.mod y te decimos al instante si estás afectado.