VIR Vulnerability Intelligence Relay

CVE-2026-33216

unknown
Published 2026-03-24 ยท Modified 2026-03-27
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
โ€”

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.

Predictions

Exploit likelihood
30%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debianbookwormaffected
debian debianforkyfixed2.12.6-1
debian debiansidfixed2.12.6-1
debian debiantrixieaffected

Package impact
EcosystemPackageVulnerableFixed
golang Gogithub.com/nats-io/nats-server/v2<2.11.152.11.15
golang Gogithub.com/nats-io/nats-server/v2>=2.12.0-RC.1,<2.12.62.12.6
golang Gogithub.com/nats-io/nats-server

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.