Alpine: nats-server: security update to 2.12.6-r0

high Tenable Cloud Security Plugin ID 440289

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to
versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are
incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring
endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are
adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other
untrusted network users. (CVE-2026-33216)

- NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-
server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can
by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known
workarounds are available. (CVE-2026-33215)

- NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to
versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the
`$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and
2.12.6 contain a fix. No known workarounds are available. (CVE-2026-33217)

- NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to
versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server
with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a
workaround, disable leafnode support if not needed or restrict network connections to the leafnode port,
if plausible without compromising the service offered. (CVE-2026-33218)

Solution

Update the nats-server library and its related packages to version 2.12.6-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-33215

https://security.alpinelinux.org/vuln/CVE-2026-33216

https://security.alpinelinux.org/vuln/CVE-2026-33217

https://security.alpinelinux.org/vuln/CVE-2026-33218

https://security.alpinelinux.org/vuln/CVE-2026-33219

https://security.alpinelinux.org/vuln/CVE-2026-33222

https://security.alpinelinux.org/vuln/CVE-2026-33223

https://security.alpinelinux.org/vuln/CVE-2026-33246

https://security.alpinelinux.org/vuln/CVE-2026-33247

https://security.alpinelinux.org/vuln/CVE-2026-33248

https://security.alpinelinux.org/vuln/CVE-2026-33249

Plugin Details

Severity: High

ID: 440289

Version: Revision 1.2

Type: Local

Published: 4/12/2026

Updated: 5/18/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.16

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-33216

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 3/24/2026

Reference Information

CVE: CVE-2026-33215, CVE-2026-33216, CVE-2026-33217, CVE-2026-33218, CVE-2026-33219, CVE-2026-33222, CVE-2026-33223, CVE-2026-33246, CVE-2026-33247, CVE-2026-33248, CVE-2026-33249