DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33215: CVE-2026-33215: MQTT Session and Message Hijacking via Client ID Malfeasance in NATS-Server

#security #cve #cybersecurity

CVE-2026-33215: MQTT Session and Message Hijacking via Client ID Malfeasance in NATS-Server

Vulnerability ID: CVE-2026-33215
CVSS Score: 6.5
Published: 2026-03-24

NATS-Server versions prior to 2.11.15 and 2.12.5 contain multiple vulnerabilities within the MQTT session management and packet parsing logic. These flaws, notably a Client ID hash collision weakness and null-byte truncation, allow unauthenticated remote attackers to hijack active MQTT sessions and intercept private message streams.

TL;DR

A session hijacking vulnerability in NATS-Server allows an unauthenticated attacker to intercept private MQTT messages by exploiting Client ID hash collisions and null-byte truncation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-287, CWE-488
  • Attack Vector: Network
  • CVSS Score: 6.5
  • Exploit Status: Proof-of-Concept
  • KEV Status: Not Listed
  • Impact: Session Hijacking, Message Interception

Affected Systems

  • NATS-Server JetStream Persistence Engine
  • NATS-Server MQTT Interface
  • nats-server: < 2.11.15 (Fixed in: 2.11.15)
  • nats-server: 2.12.0-RC.1 to < 2.12.5 (Fixed in: 2.12.5)

Code Analysis

Commit: 43e13a4

Introduces explicit ID verification after hash lookup

Commit: adfb162

Validates that strings contain no null characters

Commit: ad80e45

Ensures internal iname field is synchronized before comparison

Commit: 0e4e808

Additional cluster state synchronization fixes

Commit: a9f1175

Fixes MQTT parser validation for reserved bits

Commit: 9ae01e3

Secondary fixes for MQTT fixed header length validation

Exploit Details

  • NATS Test Suite: Proof of concept test case demonstrating session displacement via hash collision.

Mitigation Strategies

  • Upgrade NATS-Server to a patched version immediately.
  • Implement network segmentation to isolate the MQTT listener port.
  • Utilize mutual TLS (mTLS) for client authentication.
  • Deploy NATS Authorization Callouts to strictly bind Client IDs to authenticated users.

Remediation Steps:

  1. Identify all deployed instances of NATS-Server running versions prior to 2.11.15 or 2.12.5.
  2. Download the corresponding updated binary from the official NATS repository.
  3. Drain existing connections smoothly using the server's lame duck mode if high availability is required.
  4. Replace the server binary and restart the service.
  5. Verify the deployed version using the NATS monitoring endpoint or command-line tools.

References

Read the full report for CVE-2026-33215 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)