{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-24T20:55:53Z",
  "bugzilla" : {
    "description" : "nats-server: NATS-Server: Session and message hijacking via MQTT Client ID malfeasance",
    "id" : "2451021",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451021"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-290",
  "details" : [ "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.", "A flaw was found in NATS-Server. A remote attacker could exploit this vulnerability by manipulating MQTT (Message Queuing Telemetry Transport) Client IDs. This malfeasance allows for the hijacking of client sessions and messages. This could lead to unauthorized access to sensitive information or disruption of service." ],
  "package_state" : [ {
    "product_name" : "Multicluster Global Hub",
    "fix_state" : "Not affected",
    "package_name" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/oc-mirror-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33215\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33215\nhttps://advisories.nats.io/CVE/secnote-2026-06.tx\nhttps://github.com/nats-io/nats-server/security/advisories/GHSA-fcjp-h8cc-6879" ],
  "name" : "CVE-2026-33215",
  "csaw" : false
}