{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-33216","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-03-17T23:23:58.314Z","datePublished":"2026-03-25T19:41:55.670Z","dateUpdated":"2026-03-28T01:37:49.970Z"},"containers":{"cna":{"title":"NATS has MQTT plaintext password disclosure","problemTypes":[{"descriptions":[{"cweId":"CWE-256","lang":"en","description":"CWE-256: Plaintext Storage of a Password","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc","tags":["x_refsource_CONFIRM"],"url":"https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc"},{"name":"https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099","tags":["x_refsource_MISC"],"url":"https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099"},{"name":"https://advisories.nats.io/CVE/secnote-2026-05.txt","tags":["x_refsource_MISC"],"url":"https://advisories.nats.io/CVE/secnote-2026-05.txt"}],"affected":[{"vendor":"nats-io","product":"nats-server","versions":[{"version":"< 2.11.15","status":"affected"},{"version":">= 2.12.0-RC.1, < 2.12.6","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-03-25T19:47:49.517Z"},"descriptions":[{"lang":"en","value":"NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users."}],"source":{"advisory":"GHSA-v722-jcv5-w7mc","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-28T01:37:25.310195Z","id":"CVE-2026-33216","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-28T01:37:49.970Z"}}]}}