CVE-2026-33217: NATS allows MQTT clients to bypass ACL checks

March 24, 2026 (updated March 27, 2026)

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

When using ACLs on message subjects, these ACLs were not applied in the $MQTT.> namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

References

advisories.nats.io/CVE/secnote-2026-07.txt
github.com/advisories/GHSA-jxxm-27vp-c3m5
github.com/nats-io/nats-server
github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5
nvd.nist.gov/vuln/detail/CVE-2026-33217

Code Behaviors & Features

Detect and mitigate CVE-2026-33217 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →