CVE-2026-33217
Published: 25 March 2026
Summary
CVE-2026-33217 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Linuxfoundation Nats-Server. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires the system to enforce approved authorizations including ACLs on all namespaces such as $MQTT.>, directly addressing the authorization bypass vulnerability.
Mandates timely flaw remediation through patching to versions 2.11.15 or 2.12.6, eliminating the ACL enforcement failure in NATS-Server.
Enforces least privilege principles to limit damage from MQTT clients bypassing ACLs in the $MQTT.> namespace.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing NATS-Server (MQTT namespace ACL evasion) directly enables remote exploitation of the server application (T1190) by low-privileged users to obtain unauthorized elevated access to restricted subjects (T1068).
NVD Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass…
more
ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
Deeper analysisAI
CVE-2026-33217 is an authorization bypass vulnerability in NATS-Server, the high-performance server implementation for NATS.io, a cloud and edge native messaging system. In versions prior to 2.11.15 and 2.12.6, Access Control Lists (ACLs) defined on message subjects are not enforced within the $MQTT.> namespace. This allows MQTT clients to evade ACL checks that would otherwise restrict access to MQTT subjects. The issue, published on 2026-03-25, is categorized under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).
The vulnerability can be exploited over the network by low-privileged users (PR:L) with low attack complexity and no user interaction required. An attacker leveraging an MQTT client can bypass ACL protections in the $MQTT.> namespace, enabling unauthorized publishing to or subscription from restricted MQTT subjects. This leads to a low impact on confidentiality but a high impact on integrity, potentially allowing manipulation or exposure of messaging data outside intended authorization boundaries.
NATS-Server versions 2.11.15 and 2.12.6 include fixes for this vulnerability, and upgrading to these releases is the recommended mitigation. No known workarounds exist. Additional details are available in the project advisories at https://advisories.nats.io/CVE/secnote-2026-07.txt and https://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5.
Details
- CWE(s)