CVE-2026-33217

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33217
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33217.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33217
Aliases
Downstream
Related
Published
2026-03-25T19:43:40.969Z
Modified
2026-04-10T05:42:39.347885Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N CVSS Calculator
Summary
NATS allows MQTT clients to bypass ACL checks
Details

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the $MQTT.> namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33217.json",
    "cwe_ids": [
        "CWE-863"
    ]
}
References

Affected packages

Git / github.com/nats-io/nats-server

Affected ranges

Type
GIT
Repo
https://github.com/nats-io/nats-server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
bef17e1d9de6574fae0eabe1798db0d4529834e4
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.11.15"
        }
    ]
}
Type
GIT
Repo
https://github.com/nats-io/nats-server
Events
Introduced
4dccf778573cd9a9e52fb8f119718459f6f2f761
Fixed
0e0639058e0d2d8fce0cc34941f9897da152ab32
Database specific 
{
    "versions": [
        {
            "introduced": "2.12.0-RC.1"
        },
        {
            "fixed": "2.12.6"
        }
    ]
}

Affected versions

v0.*
v0.5.1
v0.5.2
v0.5.4
v0.5.6
v0.6.0
v0.6.2
v0.6.4
v0.6.6
v0.6.8
v0.7.0
v0.7.2
v0.8.0
v0.8.1
v0.9.2
v0.9.4
v0.9.6
v1.*
v1.0.0
v1.0.2
v1.0.4
v1.0.6
v1.1.0
v1.2.0
v1.3.0
v2.*
v2.0.0
v2.0.0-RC14
v2.0.0-RC19
v2.0.2
v2.0.4
v2.1.0
v2.1.2
v2.1.4
v2.1.6
v2.1.7
v2.10.0
v2.10.1
v2.10.2
v2.10.3
v2.11.0
v2.11.0-RC.1
v2.11.0-RC.2
v2.11.0-RC.3
v2.11.0-RC.4
v2.11.0-RC.5
v2.11.10
v2.11.10-RC.1
v2.11.11
v2.11.11-RC.1
v2.11.11-RC.2
v2.11.11-RC.3
v2.11.11-RC.4
v2.11.12
v2.11.12-RC.1
v2.11.12-RC.2
v2.11.12-RC.3
v2.11.12-RC.4
v2.11.12-RC.5
v2.11.12-RC.6
v2.11.12-RC.7
v2.11.14
v2.11.2
v2.11.2-RC.1
v2.11.2-RC.2
v2.11.2-RC.3
v2.11.3
v2.11.3-RC.1
v2.11.3-RC.2
v2.11.4
v2.11.4-RC.1
v2.11.4-RC.2
v2.11.4-RC.3
v2.11.5
v2.11.5-RC.1
v2.11.5-RC.2
v2.11.5-RC.3
v2.11.5-RC.4
v2.11.6
v2.11.6-RC.1
v2.11.7
v2.11.7-RC.1
v2.11.7-RC.2
v2.11.7-RC.3
v2.11.8
v2.11.8-RC.1
v2.11.9
v2.11.9-RC.1
v2.11.9-RC.2
v2.11.9-RC.3
v2.12.0
v2.12.0-RC.1
v2.12.0-RC.2
v2.12.0-RC.3
v2.12.0-RC.4
v2.12.0-RC.5
v2.12.0-RC.6
v2.12.1
v2.12.1-RC.1
v2.12.1-RC.2
v2.12.1-RC.3
v2.12.1-RC.4
v2.12.1-RC.5
v2.12.2
v2.12.2-RC.1
v2.12.2-RC.2
v2.12.2-RC.3
v2.12.2-RC.4
v2.12.3
v2.12.3-RC.1
v2.12.3-RC.2
v2.12.3-RC.3
v2.12.3-RC.4
v2.12.3-RC.5
v2.12.4
v2.12.4-RC.1
v2.12.4-RC.2
v2.12.4-RC.3
v2.12.4-RC.4
v2.12.4-RC.5
v2.12.4-RC.6
v2.12.5
v2.12.5-RC.1
v2.12.5-RC.2
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.4.0
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.7.0
v2.7.0-rc1
v2.7.0-rc2
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.9.0
v2.9.1
v2.9.10
v2.9.11
v2.9.12
v2.9.14
v2.9.15
v2.9.16
v2.9.17
v2.9.18
v2.9.19
v2.9.2
v2.9.20
v2.9.21
v2.9.22
v2.9.3
v2.9.4
v2.9.5
v2.9.6
v2.9.7
v2.9.8
v2.9.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33217.json"