CVE-2026-33216
Published: 25 March 2026
Summary
CVE-2026-33216 is a high-severity Plaintext Storage of a Password (CWE-256) vulnerability in Linuxfoundation Nats-Server. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely flaw remediation, directly addressing CVE-2026-33216 by applying patches that correct the misclassification and exposure of MQTT passwords in monitoring endpoints.
AC-3 enforces approved authorizations on monitoring endpoints, preventing unauthorized retrieval of exposed plaintext MQTT passwords as specified in the CVE workaround.
SC-7 monitors and controls communications at system boundaries, mitigating remote network access to vulnerable monitoring endpoints from untrusted networks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE directly exposes plaintext MQTT credentials via remotely accessible monitoring endpoints (CWE-256), enabling remote exploitation of a public-facing service (T1190) to obtain unsecured credentials (T1552).
NVD Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring…
more
endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.
Deeper analysisAI
CVE-2026-33216 is a vulnerability in NATS-Server, a high-performance server for the NATS.io cloud and edge native messaging system. It affects versions prior to 2.11.15 and 2.12.6, specifically in MQTT deployments that use usercodes and passwords. The issue arises because MQTT passwords are incorrectly classified as a non-authenticating identity statement in JWT format, resulting in their exposure through monitoring endpoints. The vulnerability is rated with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and is associated with CWE-256 (Plaintext Storage of a Password).
Attackers can exploit this vulnerability remotely over the network with no privileges required, low complexity, and no user interaction needed. Anyone with access to the exposed monitoring endpoints can retrieve the MQTT passwords in plaintext, enabling unauthorized access to MQTT services. The scope change and high confidentiality impact allow attackers to compromise credentials without affecting integrity or availability.
Advisories and the patch notes recommend upgrading to versions 2.11.14 or 2.12.6, which contain the fix. As a workaround, administrators should ensure monitoring endpoints are adequately secured with authentication and access controls. Best practices emphasize not exposing the monitoring endpoint to the Internet or other untrusted networks, as detailed in the NATS security advisory and related GitHub commit.
Details
- CWE(s)