Primary

Context

NATS-Server MQTT Password Exposure Vulnerability

Vulnerability

Patched

A vulnerability in NATS-Server's MQTT implementation prior to versions 2.11.15 and 2.12.6 allows for the incorrect classification of MQTT passwords as non-authenticating identity statements. This misclassification leads to the exposure of these passwords through monitoring endpoints. The issue arises in MQTT deployments that utilize user codes and passwords.

Impact

The vulnerability allows for MQTT passwords to be exposed via monitoring endpoints, potentially leading to unauthorized access or actions under the user's identity.

Remediation

Users can upgrade to NATS-Server versions 2.12.6 or 2.11.15 to address this vulnerability. It is also recommended to secure monitoring endpoints and avoid exposing them to the Internet or untrusted networks.

Added: Mar 25, 2026, 10:28 PM

Updated: Mar 25, 2026, 10:28 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

8.4

remediation

7.9

relevance

4.7

threat

3.2

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

8.4

remediation

7.9

relevance

4.7

threat

3.2

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NATS-Server MQTT Password Exposure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

NATS-Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating