{
  "threat_severity" : "Important",
  "public_date" : "2026-03-25T19:43:40Z",
  "bugzilla" : {
    "description" : "nats-server: github.com/nats-io/nats-server: NATS-Server: Access control bypass via unapplied ACLs in MQTT namespace",
    "id" : "2451446",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451446"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-425",
  "details" : [ "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.", "A flaw was found in NATS-Server. When Access Control Lists (ACLs) were configured for message subjects, these controls were not correctly applied within the `$MQTT.>` namespace. This oversight allows MQTT clients to bypass the intended ACL checks, potentially granting unauthorized access to sensitive message subjects. This vulnerability could lead to information disclosure or unauthorized message manipulation." ],
  "package_state" : [ {
    "product_name" : "Multicluster Global Hub",
    "fix_state" : "Not affected",
    "package_name" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/oc-mirror-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33217\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33217\nhttps://advisories.nats.io/CVE/secnote-2026-07.txt\nhttps://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5" ],
  "name" : "CVE-2026-33217",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}