CVE-2026-33215

Publication date 26 March 2026

Last updated 26 March 2026

Ubuntu priority

Cvss 3 Severity Score

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
nats-server	25.10 questing	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Not in release

How can I get the fixes?
What do statuses mean?

Severity score breakdown

Parameter	Value
Base score	6.5 · Medium
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	None
Availability impact	Low
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2026-33215
https://github.com/nats-io/nats-server/security/advisories/GHSA-fcjp-h8cc-6879
https://advisories.nats.io/CVE/secnote-2026-06.txt
https://advisories.nats.io/CVE/secnote-2026-06.tx