GHSA-v722-jcv5-w7mc

Source

https://github.com/advisories/GHSA-v722-jcv5-w7mc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-v722-jcv5-w7mc/GHSA-v722-jcv5-w7mc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v722-jcv5-w7mc

Aliases

Downstream

MINI-jwrg-j6jr-396h

Related

CGA-gv74-v2hj-r74x

Published

2026-03-24T21:42:10Z

Modified

2026-03-27T22:18:39.770946Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Summary

NATS has MQTT plaintext password disclosure

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

Ensure monitoring end-points are adequately secured.

Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-256"
    ],
    "nvd_published_at": "2026-03-25T20:16:32Z",
    "github_reviewed_at": "2026-03-24T21:42:10Z",
    "severity": "HIGH"
}

References

Affected packages

Go / github.com/nats-io/nats-server/v2

Package

Name: github.com/nats-io/nats-server/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/nats-server/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-v722-jcv5-w7mc/GHSA-v722-jcv5-w7mc.json"

Go / github.com/nats-io/nats-server/v2

Package

Name: github.com/nats-io/nats-server/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/nats-server/v2

Affected ranges

Type: SEMVER
Events: Introduced

2.12.0-RC.1

Fixed

2.12.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-v722-jcv5-w7mc/GHSA-v722-jcv5-w7mc.json"

Go / github.com/nats-io/nats-server

Package

Name: github.com/nats-io/nats-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/nats-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-v722-jcv5-w7mc/GHSA-v722-jcv5-w7mc.json"