CVE-2026-33215: NATS is vulnerable to MQTT hijacking via Client ID

March 24, 2026 (updated March 27, 2026)

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

Sessions and Messages can by hijacked via MQTT Client ID malfeasance.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Resources

This document is canonically: https://advisories.nats.io/CVE/secnote-2026-06.txt
GHSA advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-fcjp-h8cc-6879
MITRE CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33215

References

Code Behaviors & Features

Detect and mitigate CVE-2026-33215 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →