NATS allows MQTT clients to bypass ACL checks

GHSA-jxxm-27vp-c3m5 · BIT-nats-2026-33217 · CVE-2026-33217 · GO-2026-4834

Published Mar 24, 2026 · Modified Mar 27, 2026

Description

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

When using ACLs on message subjects, these ACLs were not applied in the $MQTT.> namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

References

WEB https://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33217
WEB https://advisories.nats.io/CVE/secnote-2026-07.txt
PACKAGE https://github.com/nats-io/nats-server

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes