Sign In

CVE-2026-33216

ADVISORY - github

Summary

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

Ensure monitoring end-points are adequately secured.

Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-256

Plaintext Storage of a Password

ADVISORY - github

CWE-256

Plaintext Storage of a Password

ADVISORY - redhat

CWE-213

Exposure of Sensitive Information Due to Incompatible Policies

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in