Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to
versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are
incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring
endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are
adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other
untrusted network users. (CVE-2026-33216)
- NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-
server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can
by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known
workarounds are available. (CVE-2026-33215)
- NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to
versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the
`$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and
2.12.6 contain a fix. No known workarounds are available. (CVE-2026-33217)
- NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to
versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server
with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a
workaround, disable leafnode support if not needed or restrict network connections to the leafnode port,
if plausible without compromising the service offered. (CVE-2026-33218)
Solution
Update the nats-server library and its related packages to version 2.12.6-r0 or later.
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Exploit Ease: No known exploits are available
Vulnerability Publication Date: 3/24/2026
Reference Information
CVE: CVE-2026-33215, CVE-2026-33216, CVE-2026-33217, CVE-2026-33218, CVE-2026-33219, CVE-2026-33222, CVE-2026-33223, CVE-2026-33246, CVE-2026-33247, CVE-2026-33248, CVE-2026-33249