NATS has MQTT plaintext password disclosure

GHSA-v722-jcv5-w7mc · BIT-nats-2026-33216 · CVE-2026-33216 · GO-2026-4836

Published Mar 24, 2026 · Modified Mar 27, 2026

Description

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

Ensure monitoring end-points are adequately secured.

Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.

References

WEB https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33216
WEB https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099
WEB https://advisories.nats.io/CVE/secnote-2026-05.txt
PACKAGE https://github.com/nats-io/nats-server

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes