Launch Week Day 1: Announcing Security Design Review

NATS is vulnerable to MQTT hijacking via Client ID

GHSA-fcjp-h8cc-6879 · BIT-nats-2026-33215 · CVE-2026-33215 · GO-2026-4833

Published Mar 24, 2026 · Modified Mar 27, 2026

Description

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

Sessions and Messages can by hijacked via MQTT Client ID malfeasance.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Resources

This document is canonically: https://advisories.nats.io/CVE/secnote-2026-06.txt
GHSA advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-fcjp-h8cc-6879
MITRE CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33215

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes