CVE-2026-33215

NameCVE-2026-33215
DescriptionNATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nats-server (PTS)bookworm2.9.10-1vulnerable
trixie2.10.27-1vulnerable
forky, sid2.12.4-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nats-serversource(unstable)(unfixed)

Notes

https://github.com/nats-io/nats-server/security/advisories/GHSA-fcjp-h8cc-6879
https://advisories.nats.io/CVE/secnote-2026-06.txt
Search for package or bug name: Reporting problems