{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/nats-server/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NATS server"],"_cs_severities":["high"],"_cs_tags":["nats.io","mqtt","acl-bypass","vulnerability"],"_cs_type":"advisory","_cs_vendors":["NATS.io"],"content_html":"\u003cp\u003eNATS.io is a high-performance open-source pub-sub distributed communication technology used in cloud, on-premise, IoT, and edge computing environments. A critical vulnerability exists in the NATS server that allows MQTT clients to bypass Access Control List (ACL) checks when using the MQTT client interface. Specifically, ACLs are not enforced in the \u003ccode\u003e$MQTT.\u0026gt;\u003c/code\u003e namespace, which handles MQTT subjects. This flaw affects NATS server versions prior to v2.12.6 and v2.11.15, potentially enabling malicious MQTT clients to publish or subscribe to topics they should not have access to, leading to information disclosure or unauthorized control of the NATS messaging system. The vulnerability is identified as CVE-2026-33217 and presents a significant security risk for organizations relying on NATS for secure communication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a NATS server running a vulnerable version (prior to v2.12.6 or v2.11.15) with MQTT enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an MQTT client connection to the NATS server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts MQTT PUBLISH or SUBSCRIBE messages targeting subjects within the \u003ccode\u003e$MQTT.\u0026gt;\u003c/code\u003e namespace.\u003c/li\u003e\n\u003cli\u003eThe NATS server, due to the vulnerability, fails to apply configured ACLs to the MQTT messages.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully publishes or subscribes to MQTT topics without proper authorization.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to MQTT data or control over MQTT devices connected to the NATS server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then leverage the unauthorized access for malicious purposes such as data exfiltration or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-33217) can lead to unauthorized access to sensitive MQTT data within the NATS messaging system. This can affect any organization using NATS for MQTT communication, especially in IoT environments where MQTT is prevalent. The impact ranges from information disclosure to complete compromise of MQTT-controlled devices or services. The number of potential victims is dependent on the number of NATS deployments using MQTT functionality and running vulnerable versions, but given the widespread adoption of NATS, the potential impact is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NATS server instances to version v2.12.6 or v2.11.15 or later to remediate CVE-2026-33217.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Suspicious MQTT Namespace Access\u003c/code\u003e to identify potential exploitation attempts targeting the \u003ccode\u003e$MQTT.\u0026gt;\u003c/code\u003e namespace.\u003c/li\u003e\n\u003cli\u003eMonitor NATS server logs for suspicious activity related to MQTT connections and subject access using the \u003ccode\u003e$MQTT.\u0026gt;\u003c/code\u003e namespace.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-nats-mqtt-acl-bypass/","summary":"A vulnerability in NATS.io versions before v2.12.6 or v2.11.15 allows MQTT clients to bypass ACL checks for MQTT subjects due to ACLs not being applied in the `$MQTT.\u003e` namespace, potentially allowing unauthorized access and control of MQTT communications.","title":"NATS.io MQTT ACL Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-nats-mqtt-acl-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NATS server"],"_cs_severities":["high"],"_cs_tags":["nats","mqtt","credential-access","vulnerability"],"_cs_type":"advisory","_cs_vendors":["NATS"],"content_html":"\u003cp\u003eNATS.io is a high-performance open-source pub-sub distributed communication technology. The NATS server provides an MQTT client interface. A vulnerability exists where MQTT passwords, when used with usercodes, are incorrectly classified as non-authenticating identity statements (JWT) and exposed via monitoring endpoints. This vulnerability affects NATS server versions before v2.12.6 and v2.11.15. Successful exploitation allows unauthorized access to MQTT credentials, potentially leading to broader access within the NATS environment. Defenders should prioritize patching and securing monitoring endpoints to mitigate this risk. The reported CVE is CVE-2026-33216.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a NATS server instance running a vulnerable version (prior to v2.12.6 or v2.11.15) with MQTT enabled.\u003c/li\u003e\n\u003cli\u003eMQTT is configured to use usercodes/passwords for authentication.\u003c/li\u003e\n\u003cli\u003eAttacker accesses the monitoring endpoint of the NATS server. This could be via a direct connection or through a proxy.\u003c/li\u003e\n\u003cli\u003eThe NATS server incorrectly classifies the MQTT password as a non-authenticating JWT.\u003c/li\u003e\n\u003cli\u003eThe server exposes the plaintext MQTT password in the monitoring endpoint's output.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the plaintext MQTT password from the monitoring endpoint.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised MQTT credentials to authenticate to the NATS server via the MQTT client interface.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to NATS server resources and pub-sub channels accessible to the compromised MQTT user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-33216) allows an attacker to gain unauthorized access to MQTT credentials. This can lead to the attacker gaining access to sensitive data being transmitted through the NATS pub-sub system. The impact depends on the privileges associated with the compromised MQTT user and the data accessible through the NATS channels it can access. If the monitoring endpoint is exposed to the internet, the risk is significantly increased.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NATS server instances to version v2.12.6 or v2.11.15 or later to remediate the vulnerability (CVE-2026-33216).\u003c/li\u003e\n\u003cli\u003eImplement strong access controls on the NATS server monitoring endpoints as suggested in the advisory to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect NATS Server Monitoring Endpoint Access\u003c/code\u003e to identify suspicious access attempts to the monitoring endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-23-nats-mqtt-disclosure/","summary":"The NATS server exposes MQTT passwords in plaintext via monitoring endpoints due to incorrect classification as JWTs, affecting versions before v2.12.6 or v2.11.15.","title":"NATS Server MQTT Password Disclosure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-23-nats-mqtt-disclosure/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NATS server"],"_cs_severities":["high"],"_cs_tags":["nats","credential-exposure","monitoring-port"],"_cs_type":"advisory","_cs_vendors":["NATS.io"],"content_html":"\u003cp\u003eNATS.io is a high-performance, open-source messaging system designed for cloud, on-premise, IoT, and edge computing environments. A vulnerability exists where credentials passed via command-line arguments (\u003ccode\u003eargv\u003c/code\u003e) to the \u003ccode\u003enats-server\u003c/code\u003e are exposed through the server's monitoring port. Specifically, if a NATS server is launched with client authentication details specified directly in the command line, this information becomes visible via the \u003ccode\u003e/debug/vars\u003c/code\u003e endpoint. This affects NATS server versions prior to 2.11.15 and versions 2.12.0-RC.1 through 2.12.6. Attackers with access to the monitoring port can extract these credentials and potentially gain unauthorized access to the NATS messaging system. This exposure represents a significant security risk, especially in environments where the monitoring port is accessible from untrusted networks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA NATS server is deployed with the \u003ccode\u003e--user\u003c/code\u003e and \u003ccode\u003e--pass\u003c/code\u003e parameters in the command line (\u003ccode\u003eargv\u003c/code\u003e) to configure client authentication.\u003c/li\u003e\n\u003cli\u003eThe monitoring port is enabled on the NATS server, typically on port 8222.\u003c/li\u003e\n\u003cli\u003eAn attacker gains access to the monitoring port, either through network access or by exploiting a separate vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to the \u003ccode\u003e/debug/vars\u003c/code\u003e endpoint on the monitoring port (e.g., \u003ccode\u003ehttp://nats-server:8222/debug/vars\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server responds with a JSON payload containing system information, including the command-line arguments used to launch the server.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON response and extracts the credentials specified in the \u003ccode\u003e--user\u003c/code\u003e and \u003ccode\u003e--pass\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to authenticate with the NATS server as a legitimate client.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the NATS messaging system, enabling them to publish, subscribe, and manage messages within the system, potentially leading to data breaches or service disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows unauthorized access to the NATS messaging system. The number of affected deployments is unknown, but any NATS server running a vulnerable version with command-line credentials and an exposed monitoring port is at risk. Compromised NATS deployments can lead to data breaches, service disruption, or the use of the messaging system for malicious purposes. Organizations in any sector utilizing NATS for inter-service communication or real-time data streaming are potentially affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConfigure NATS server credentials within a dedicated configuration file instead of passing them via command-line arguments, as recommended in the advisory's \u0026quot;Workarounds\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eDisable the monitoring port if command-line arguments are used for credential management, as mentioned in the advisory's \u0026quot;Workarounds\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eImplement network access controls to restrict access to the monitoring port from untrusted networks, as stated in the advisory's \u0026quot;Workarounds\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eUpgrade to NATS server version 2.11.15 or 2.12.6 or later to patch CVE-2026-33247 as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-nats-credential-exposure/","summary":"NATS servers configured with command-line credentials expose them through the `/debug/vars` endpoint on the monitoring port, affecting versions prior to 2.11.15 and between 2.12.0-RC.1 and 2.12.6, potentially leading to unauthorized access.","title":"NATS Server Credentials Exposure via Monitoring Port","url":"https://feed.craftedsignal.io/briefs/2024-01-nats-credential-exposure/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NATS server"],"_cs_severities":["high"],"_cs_tags":["nats","denial-of-service","compression"],"_cs_type":"advisory","_cs_vendors":["NATS"],"content_html":"\u003cp\u003eNATS.io is a high-performance open-source pub-sub distributed communication technology. A vulnerability exists when a NATS server is configured to accept leafnode connections, which is not the default setting. In this configuration, a malicious remote NATS server can trigger a server panic by exploiting the compression negotiation process on the leafnode port (default 7422). This vulnerability, identified as CVE-2026-29785, occurs pre-authentication, meaning an attacker does not need valid credentials. The vulnerability affects NATS server versions prior to v2.11.14 and versions between v2.12.0-RC.1 and v2.12.5. Defenders should disable compression on the leafnode port to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a NATS server with leafnode configuration enabled and compression active on port 7422.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a connection to the leafnode port (7422) of the target NATS server.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a compression negotiation handshake with the target server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted message during the compression negotiation, designed to exploit a vulnerability in the NATS server's compression handling logic.\u003c/li\u003e\n\u003cli\u003eThe NATS server attempts to process the malicious compression data.\u003c/li\u003e\n\u003cli\u003eDue to the crafted nature of the data, the NATS server's compression library triggers a panic.\u003c/li\u003e\n\u003cli\u003eThe NATS server process terminates abruptly due to the panic.\u003c/li\u003e\n\u003cli\u003eThe NATS server becomes unavailable, disrupting NATS-based communication.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service (DoS) condition. Any NATS server configured to accept leafnode connections is vulnerable. This could impact cloud, on-premise, IoT, and edge computing environments using NATS for inter-service communication. The exact number of affected systems is unknown, but the impact is significant as it can disrupt critical communication pathways.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDisable compression on the leafnode port by setting \u003ccode\u003ecompression: off\u003c/code\u003e in the NATS server configuration file as described in the advisory to remediate CVE-2026-29785.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to port 7422, the default leafnode port, for unexpected connection attempts from untrusted sources (refer to the IOC table).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect connections to the leafnode port with unexpected client IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-nats-server-panic/","summary":"A vulnerability exists in NATS servers configured to accept leafnode connections where a malicious remote NATS server can trigger a server panic by exploiting compression negotiation on the leafnode port.","title":"NATS Server Panic via Malicious Compression on Leafnode Port","url":"https://feed.craftedsignal.io/briefs/2024-01-09-nats-server-panic/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NATS Server"],"_cs_severities":["high"],"_cs_tags":["nats","denial-of-service","leafnode"],"_cs_type":"advisory","_cs_vendors":["NATS"],"content_html":"\u003cp\u003eNATS.io is a high-performance open-source pub-sub distributed communication technology widely used for cloud, on-premise, IoT, and edge computing environments. NATS servers utilize \u0026quot;leafnode\u0026quot; connections to enable hub/spoke topologies with other NATS servers. A critical vulnerability has been discovered affecting NATS servers prior to versions v2.12.6 and v2.11.15. This flaw allows an unauthenticated client capable of connecting to the leafnode port to trigger a server panic, resulting in a denial-of-service condition. This vulnerability, identified as CVE-2026-33218, highlights the importance of securing NATS deployments and promptly applying available patches or workarounds to prevent potential service disruptions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable NATS server with an exposed leafnode port.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a network connection to the leafnode port (typically 7422).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a specially crafted, malformed message to the leafnode port. This message is designed to exploit a flaw in the pre-authentication handling of leafnode connections.\u003c/li\u003e\n\u003cli\u003eThe NATS server attempts to process the malformed message without proper validation.\u003c/li\u003e\n\u003cli\u003eDue to the malformed nature of the message, a panic occurs within the NATS server's code, specifically related to leafnode message processing.\u003c/li\u003e\n\u003cli\u003eThe panic causes the NATS server process to terminate abruptly.\u003c/li\u003e\n\u003cli\u003eThe NATS server becomes unavailable, disrupting any applications or services relying on it.\u003c/li\u003e\n\u003cli\u003eThis denial-of-service condition persists until the NATS server is manually restarted, and further attacks can repeat the process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition affecting the NATS server. The impact scope depends on the criticality of the NATS server within the affected environment. Services relying on the NATS server for communication will become unavailable, potentially disrupting business operations. The vulnerability affects all environments using vulnerable NATS server instances, including cloud deployments, on-premise installations, and edge computing scenarios. Widespread exploitation could result in significant operational disruptions across various sectors relying on NATS for real-time data streaming and messaging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade NATS servers to version v2.12.6 or v2.11.15 or later to patch CVE-2026-33218.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, disable leafnode support on NATS servers if it is not required, mitigating the attack vector.\u003c/li\u003e\n\u003cli\u003eRestrict network connections to the leafnode port (default 7422) using firewalls or network access control lists, limiting potential attackers.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to the leafnode port for unexpected or unauthorized access attempts, using network connection logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-nats-leafnode-panic/","summary":"A pre-authentication denial-of-service vulnerability exists in NATS servers before versions v2.12.6 and v2.11.15, allowing a remote client connected to the leafnode port to crash the server by sending a malformed message.","title":"NATS Server Pre-Authentication Denial-of-Service via Leafnode Handling","url":"https://feed.craftedsignal.io/briefs/2024-01-03-nats-leafnode-panic/"}],"language":"en","title":"CraftedSignal Threat Feed - NATS Server","version":"https://jsonfeed.org/version/1.1"}