プラットフォーム
go
コンポーネント
github.com/nats-io/nats-server
修正版
2.11.16
2.12.1
2.11.15
CVE-2026-33215 describes a vulnerability in NATS Server, specifically related to MQTT connection hijacking. This allows an attacker to potentially take control of MQTT clients by exploiting weaknesses in how the server handles Client IDs. The vulnerability impacts versions of NATS Server before 2.11.15, and a fix is available in version 2.11.15.
The vulnerability lies in how NATS Server handles Client IDs within MQTT connections. An attacker can craft malicious MQTT messages with specific Client IDs to hijack existing connections. Successful exploitation could allow an attacker to impersonate legitimate MQTT clients, subscribe to their topics, publish messages as them, and potentially gain unauthorized access to sensitive data or control over devices connected to the NATS server. The impact is particularly concerning in IoT deployments and other scenarios where MQTT is used for critical communication.
CVE-2026-33215 was publicly disclosed on 2026-03-26. Currently, there are no publicly available proof-of-concept exploits. The KEV status is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Organizations utilizing NATS Server for MQTT communication, particularly those in IoT deployments or those relying on MQTT for critical control systems, are at risk. Environments with legacy NATS Server installations or those that have not implemented robust Client ID validation practices are especially vulnerable.
• linux / server:
journalctl -u nats-server -f | grep 'Client ID hijacking'• generic web:
curl -I http://<nats_server_ip>/ | grep 'Server: nats-server/2.11.14' #Check versiondisclosure
エクスプロイト状況
EPSS
0.01% (3% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-33215 is to upgrade NATS Server to version 2.11.15 or later. This version includes a fix that addresses the Client ID handling vulnerability. If immediate upgrading is not possible, consider implementing stricter Client ID validation rules within your MQTT client applications to prevent the use of predictable or easily guessable Client IDs. Additionally, review your NATS server configuration to ensure that only authorized clients are allowed to connect. After upgrading, verify the fix by attempting to establish an MQTT connection with a manipulated Client ID and confirming that the connection is rejected.
NATS-Server をバージョン 2.11.15 以降、またはバージョン 2.12.6 以降にアップデートしてください。これにより、MQTT Client ID を介したセッションおよびメッセージのハイジャック脆弱性が修正されます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33215 is a medium severity vulnerability in NATS Server affecting versions before 2.11.15. It allows an attacker to hijack MQTT connections by manipulating Client IDs, potentially gaining unauthorized access.
You are affected if you are running NATS Server versions prior to 2.11.15 and utilize MQTT communication. Assess your deployment and upgrade as soon as possible.
Upgrade NATS Server to version 2.11.15 or later to address the vulnerability. Implement stricter Client ID validation in your MQTT clients as an interim measure.
Currently, there are no publicly known active exploitation campaigns for CVE-2026-33215, but continuous monitoring is recommended.
Refer to the official NATS Server security advisories on the NATS website or GitHub repository for detailed information and updates regarding CVE-2026-33215.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。