{
  "threat_severity" : "Important",
  "public_date" : "2026-03-25T19:41:55Z",
  "bugzilla" : {
    "description" : "nats-server: github.com/nats-io/nats-server: NATS-Server: Information disclosure of MQTT passwords through monitoring endpoints",
    "id" : "2451448",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451448"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.6",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-213",
  "details" : [ "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.", "A flaw was found in NATS-Server, a high-performance server for the NATS.io messaging system. For MQTT deployments utilizing usercodes and passwords, the MQTT passwords were mistakenly categorized as non-authenticating identity statements (JSON Web Tokens - JWT). This misclassification leads to the exposure of these passwords through monitoring endpoints, enabling an attacker with access to these endpoints to gain sensitive information." ],
  "package_state" : [ {
    "product_name" : "Multicluster Global Hub",
    "fix_state" : "Not affected",
    "package_name" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/oc-mirror-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33216\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33216\nhttps://advisories.nats.io/CVE/secnote-2026-05.txt\nhttps://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099\nhttps://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc" ],
  "name" : "CVE-2026-33216",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}