Vulnerability Details CVE-2026-33217
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 17.2%
CVSS Severity
CVSS v3 Score 7.1
Products affected by CVE-2026-33217
-
cpe:2.3:a:linuxfoundation:nats-server:2.12.0
-
cpe:2.3:a:linuxfoundation:nats-server:2.12.1
-
cpe:2.3:a:linuxfoundation:nats-server:2.12.2
-
cpe:2.3:a:linuxfoundation:nats-server:2.12.3
-
cpe:2.3:a:linuxfoundation:nats-server:2.12.4
-
cpe:2.3:a:linuxfoundation:nats-server:2.12.5