{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33216", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.314Z", "datePublished": "2026-03-25T19:41:55.670Z", "dateUpdated": "2026-03-25T19:47:49.517Z"}, "containers": {"cna": {"title": "NATS has MQTT plaintext password disclosure", "problemTypes": [{"descriptions": [{"cweId": "CWE-256", "lang": "en", "description": "CWE-256: Plaintext Storage of a Password", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc"}, {"name": "https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099", "tags": ["x_refsource_MISC"], "url": "https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-05.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-05.txt"}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"version": "< 2.11.15", "status": "affected"}, {"version": ">= 2.12.0-RC.1, < 2.12.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T19:47:49.517Z"}, "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users."}], "source": {"advisory": "GHSA-v722-jcv5-w7mc", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users."}], "id": "CVE-2026-33216", "lastModified": "2026-03-25T20:16:32.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T20:16:32.320", "references": [{"source": "security-advisories@github.com", "url": "https://advisories.nats.io/CVE/secnote-2026-05.txt"}, {"source": "security-advisories@github.com", "url": "https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099"}, {"source": "security-advisories@github.com", "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-256"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "nats-server: github.com/nats-io/nats-server: NATS-Server: Information disclosure of MQTT passwords through monitoring endpoints", "id": "2451448", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451448"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-213", "details": ["A flaw was found in NATS-Server, a high-performance server for the NATS.io messaging system. For MQTT deployments utilizing usercodes and passwords, the MQTT passwords were mistakenly categorized as non-authenticating identity statements (JSON Web Tokens - JWT). This misclassification leads to the exposure of these passwords through monitoring endpoints, enabling an attacker with access to these endpoints to gain sensitive information."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33216", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/oc-mirror-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-25T19:41:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33216\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33216\nhttps://advisories.nats.io/CVE/secnote-2026-05.txt\nhttps://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099\nhttps://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc"], "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-03-25T21:39:23.838300+00:00", "value": {"mitigation_remediation": ["Update the NATS Server to version 2.11.15 or later 2.12.6 or newer.", "If immediate upgrade is not possible, secure the monitoring endpoints by limiting access to trusted internal networks or applying network segmentation."], "summary": {"action": "Apply patch", "impact": "Plaintext password disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is NATS-IO NATS Server. Versions before 2.11.15 and 2.12.6 contain the flaw; these releases are susceptible to the disclosure. Later releases, starting with 2.11.15 and 2.12.6, include the fix.", "description_and_impact": "The vulnerability involves MQTT passwords being incorrectly treated as non-authenticating identity statements, causing them to be exposed through monitoring endpoints. This flaw leads to plaintext credential leakage, allowing an attacker who can reach these endpoints to retrieve user passwords. The weakness corresponds to Credential Management \u2013 Plaintext Storage (CWE-256).", "risk_and_exploitability": "The CVSS score of 8.6 indicates high severity, and the flaw is not listed in the CISA KEV catalog. Since the exposed credentials are available through monitoring endpoints, the likely attack vector is remote access to those endpoints; protection can be achieved by restricting the monitoring interface to trusted networks. No EPSS score is provided, so the exact exploit probability is unknown."}}}}, "created": "2026-03-25T21:46:23.121322+00:00", "updated": "2026-03-25T21:46:23.121347+00:00", "vendors": []}