Home / Vulnerability Intelligence / CVE-2026-33216

CVE-2026-33216 - Vulnerability Analysis

HighCVSS: 8.6

Last Updated: March 26, 2026

NATS-Server - Information Disclosure

Published: March 25, 2026Updated: March 26, 2026Remote Exploitable

Overview

NATS-Server < 2.11.15 and < 2.12.6 contains an information disclosure vulnerability caused by incorrect classification of MQTT passwords as non-authenticating JWTs, exposing them via monitoring endpoints, letting attackers access sensitive credentials, exploit requires access to monitoring endpoints.

Severity & Score

Severity: High

CVSS Score: 8.6

EPSS Score: 3.3%(Probability of exploitation in next 30 days)

Impact

Attackers with access to monitoring endpoints can obtain MQTT passwords, leading to credential disclosure and potential unauthorized access.

Mitigation

Upgrade to versions 2.11.15 or 2.12.6 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 25, 2026

🟠 CVE-2026-33216 - High (8.6) NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33216/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33216
Severity: High
CVSS Score: 8.6
Type: information_disclosure
Status: confirmed
EPSS: 3.3%
Social Posts: 1

CWE

CWE-256

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score

3.3%Probability of exploitation in the next 30 days