CVE-2026-33216: CWE-256: Plaintext Storage of a Password in nats-io nats-server
NATS-Server versions prior to 2. 11. 15 and between 2. 12. 0-RC. 1 and 2. 12. 6 have a vulnerability where MQTT passwords are stored or exposed in plaintext via monitoring endpoints. This occurs because MQTT passwords are misclassified as non-authenticating identity statements (JWT). The issue allows sensitive password exposure through monitoring interfaces.
AI Analysis
Technical Summary
CVE-2026-33216 affects nats-io nats-server in MQTT deployments using usercodes and passwords. Prior to versions 2.11.15 and 2.12.6, MQTT passwords were incorrectly treated as non-authenticating JWT identity statements and thus exposed in plaintext via monitoring endpoints. This plaintext exposure constitutes a CWE-256 weakness (plaintext storage of sensitive information). The vulnerability has a CVSS 3.1 score of 8.6, indicating high severity with network attack vector, low complexity, no privileges required, no user interaction, and high confidentiality impact. The issue is resolved in versions 2.11.15 and 2.12.6. No known exploits are reported in the wild. The product is not a cloud service, so remediation depends on user upgrades and configuration.
Potential Impact
The vulnerability exposes MQTT passwords in plaintext through monitoring endpoints, potentially allowing unauthorized parties to obtain sensitive credentials if they can access these endpoints. This compromises confidentiality but does not affect integrity or availability. The high CVSS score reflects the ease of exploitation over the network without privileges or user interaction and the severe confidentiality impact. There are no known active exploits reported.
Mitigation Recommendations
Upgrade nats-server to version 2.11.15 or 2.12.6 or later to apply the official fix. Until patched, ensure that monitoring endpoints are not exposed to untrusted networks and are adequately secured to prevent unauthorized access. Best practice is to avoid exposing monitoring endpoints to the Internet or other untrusted users. Patch status is confirmed by vendor advisory information embedded in the description.
CVE-2026-33216: CWE-256: Plaintext Storage of a Password in nats-io nats-server
Description
NATS-Server versions prior to 2. 11. 15 and between 2. 12. 0-RC. 1 and 2. 12. 6 have a vulnerability where MQTT passwords are stored or exposed in plaintext via monitoring endpoints. This occurs because MQTT passwords are misclassified as non-authenticating identity statements (JWT). The issue allows sensitive password exposure through monitoring interfaces.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33216 affects nats-io nats-server in MQTT deployments using usercodes and passwords. Prior to versions 2.11.15 and 2.12.6, MQTT passwords were incorrectly treated as non-authenticating JWT identity statements and thus exposed in plaintext via monitoring endpoints. This plaintext exposure constitutes a CWE-256 weakness (plaintext storage of sensitive information). The vulnerability has a CVSS 3.1 score of 8.6, indicating high severity with network attack vector, low complexity, no privileges required, no user interaction, and high confidentiality impact. The issue is resolved in versions 2.11.15 and 2.12.6. No known exploits are reported in the wild. The product is not a cloud service, so remediation depends on user upgrades and configuration.
Potential Impact
The vulnerability exposes MQTT passwords in plaintext through monitoring endpoints, potentially allowing unauthorized parties to obtain sensitive credentials if they can access these endpoints. This compromises confidentiality but does not affect integrity or availability. The high CVSS score reflects the ease of exploitation over the network without privileges or user interaction and the severe confidentiality impact. There are no known active exploits reported.
Mitigation Recommendations
Upgrade nats-server to version 2.11.15 or 2.12.6 or later to apply the official fix. Until patched, ensure that monitoring endpoints are not exposed to untrusted networks and are adequately secured to prevent unauthorized access. Best practice is to avoid exposing monitoring endpoints to the Internet or other untrusted users. Patch status is confirmed by vendor advisory information embedded in the description.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-17T23:23:58.314Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c43f15f4197a8e3b7dafdb
Added to database: 3/25/2026, 8:01:25 PM
Last enriched: 4/3/2026, 1:14:55 PM
Last updated: 5/7/2026, 4:26:09 AM
Views: 86
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.