平台
go
组件
github.com/nats-io/nats-server
修复版本
2.11.16
2.12.1
2.11.15
CVE-2026-33215 describes a vulnerability in NATS Server, specifically related to MQTT connection hijacking. This allows an attacker to potentially take control of MQTT clients by exploiting weaknesses in how the server handles Client IDs. The vulnerability impacts versions of NATS Server before 2.11.15, and a fix is available in version 2.11.15.
The vulnerability lies in how NATS Server handles Client IDs within MQTT connections. An attacker can craft malicious MQTT messages with specific Client IDs to hijack existing connections. Successful exploitation could allow an attacker to impersonate legitimate MQTT clients, subscribe to their topics, publish messages as them, and potentially gain unauthorized access to sensitive data or control over devices connected to the NATS server. The impact is particularly concerning in IoT deployments and other scenarios where MQTT is used for critical communication.
CVE-2026-33215 was publicly disclosed on 2026-03-26. Currently, there are no publicly available proof-of-concept exploits. The KEV status is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Organizations utilizing NATS Server for MQTT communication, particularly those in IoT deployments or those relying on MQTT for critical control systems, are at risk. Environments with legacy NATS Server installations or those that have not implemented robust Client ID validation practices are especially vulnerable.
• linux / server:
journalctl -u nats-server -f | grep 'Client ID hijacking'• generic web:
curl -I http://<nats_server_ip>/ | grep 'Server: nats-server/2.11.14' #Check versiondisclosure
漏洞利用状态
EPSS
0.01% (3% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-33215 is to upgrade NATS Server to version 2.11.15 or later. This version includes a fix that addresses the Client ID handling vulnerability. If immediate upgrading is not possible, consider implementing stricter Client ID validation rules within your MQTT client applications to prevent the use of predictable or easily guessable Client IDs. Additionally, review your NATS server configuration to ensure that only authorized clients are allowed to connect. After upgrading, verify the fix by attempting to establish an MQTT connection with a manipulated Client ID and confirming that the connection is rejected.
将 NATS-Server 更新到 2.11.15 或更高版本,或 2.12.6 或更高版本。这修复了通过 MQTT Client ID 的会话和消息劫持漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-33215 is a medium severity vulnerability in NATS Server affecting versions before 2.11.15. It allows an attacker to hijack MQTT connections by manipulating Client IDs, potentially gaining unauthorized access.
You are affected if you are running NATS Server versions prior to 2.11.15 and utilize MQTT communication. Assess your deployment and upgrade as soon as possible.
Upgrade NATS Server to version 2.11.15 or later to address the vulnerability. Implement stricter Client ID validation in your MQTT clients as an interim measure.
Currently, there are no publicly known active exploitation campaigns for CVE-2026-33215, but continuous monitoring is recommended.
Refer to the official NATS Server security advisories on the NATS website or GitHub repository for detailed information and updates regarding CVE-2026-33215.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 go.mod 文件,立即知道是否受影响。