CVE-2026-33216: NATS has MQTT plaintext password disclosure
(updated )
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
Problem Description
For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
Ensure monitoring end-points are adequately secured.
Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.
References
- advisories.nats.io/CVE/secnote-2026-05.txt
- github.com/advisories/GHSA-v722-jcv5-w7mc
- github.com/nats-io/nats-server
- github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099
- github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc
- nvd.nist.gov/vuln/detail/CVE-2026-33216
Code Behaviors & Features
Detect and mitigate CVE-2026-33216 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →