CVE-2026-33215: MQTT Session and Message Hijacking via Client ID Malfeasance in NATS-Server

NATS-Server implements an MQTT interface backed by its JetStream persistence engine. The system relies on Client IDs to map incoming connections to existing message streams and subscriptions. An unauthenticated remote attacker can manipulate these Client IDs to bypass authentication mechanisms and hijack active sessions.

The vulnerability comprises several distinct software defects affecting how the server processes MQTT identifiers. The primary defect involves a hash collision weakness within the session persistence layer. Secondary defects include improper input validation concerning null-byte truncation and protocol desynchronization in fixed-size control packets.

Successful exploitation allows the attacker to assume the identity of a legitimate client. The server subsequently routes the victim's private message stream to the attacker. This exposes sensitive data and potentially disrupts the legitimate client's connection.

The JetStream backend uses a custom hashing function to optimize lookups for persisted MQTT sessions. When a client reconnects with the cleanSession=false flag, the server calculates the hash of the provided Client ID to retrieve the corresponding session state. The server failed to verify that the string identifier of the retrieved session matched the string identifier of the requesting client.

This logical omission creates a direct session hijacking vector. If two distinct Client IDs produce identical hash values, the server treats them as the same entity. The custom hashing algorithm used by NATS-Server exhibits sufficient collision probability to make this practically exploitable by brute-forcing local hashes until a match is found for a target ID.

Beyond the hashing flaw, the server processes MQTT string identifiers without sanitizing null bytes. If internal string handling logic truncates the input at the first null byte, an attacker can append arbitrary characters to a legitimate Client ID. This bypasses length restrictions while still mapping to the victim's internal session representation.

Furthermore, clustered deployments suffer from state desynchronization due to improper struct comparisons. The server relies on reflect.DeepEqual to enforce idempotency during stream creation. The StreamSource struct contains an internal iname field mutated exclusively by the server, causing mathematically identical user requests to be rejected as mismatched configurations.

The primary vulnerability resides in the session retrieval logic where the server implicitly trusts the hash index. The vulnerable implementation retrieves the session object based solely on the integer hash value. The code returns the session immediately without verifying the underlying string identifiers.

The patch introduced in commit 43e13a40a67a43880d14293791799fc5b0465bb5 corrects this by adding explicit string comparison. After fetching the session via the hash index, the server now performs a strict equality check. If the identifiers differ, the server rejects the connection and returns an authentication failure.

// Conceptual logic based on NATS-Server MQTT implementation
 
// Vulnerable Logic
sessionHash := getHash(requestedClientID)
if session, exists := server.sessions[sessionHash]; exists {
    // Implicit trust of the hash index
    return session 
}
 
// Patched Logic
sessionHash := getHash(requestedClientID)
if session, exists := server.sessions[sessionHash]; exists {
    // Explicit identifier verification added
    if session.ClientID != requestedClientID {
        return nil, ErrSessionMismatch
    }
    return session
}

A parallel patch addressed the null-byte truncation vulnerability in commit adfb16280e2a842ffe102b398170552b9112b919. The developers added explicit boundary checks across all MQTT string parsing functions. The parser now iterates through the byte array and raises a protocol error if a \0 character is encountered within the Client ID, username, or topic strings.

The clustered stream state desynchronization also required a structural fix. The patch in commit ad80e455d8624ba01cfa69a05c7090e448ccfab3 modified the clustering layer. Before evaluating reflect.DeepEqual, the server now explicitly synchronizes the iname field from the existing state to the proposed state. This guarantees that internal metadata does not cause false negatives during configuration equivalence checks.

An attacker requires network access to the target NATS-Server MQTT interface, which defaults to port 1883. The attacker also needs prior knowledge of a victim's Client ID. Once the target ID is known, the attacker computes the NATS-specific hash for that ID offline.

The attacker generates millions of random Client IDs locally, hashing each until a collision with the target hash is found. The NATS test suite demonstrates this exact scenario using known colliding IDs, such as cid-03579431 and cid-09191235. The attacker connects to the server using the collided ID and sets the MQTT cleanSession flag to false.

The server processes the connection request, hashes the attacker's ID, and inadvertently retrieves the victim's persistent session. The server binds the attacker's network connection to the victim's session state. Any pending messages or future messages published to the victim's subscribed topics are actively routed to the attacker.

The primary impact of this vulnerability is a severe breach of message confidentiality. An attacker successfully exploiting the hash collision or null-byte truncation vectors gains full read access to the victim's subscribed message streams. Depending on the deployment context, this exposes sensitive telemetry, command-and-control directives, or private user data.

Integrity is indirectly affected if the attacker leverages the hijacked session to publish messages under the victim's identity. While the official CVSS vector scores integrity as None, application-level spoofing remains a practical consequence in systems lacking external message-level cryptographic signatures. The server explicitly trusts the connection as belonging to the victim.

Availability is compromised due to session displacement mechanics. MQTT protocol rules dictate that a new connection using an existing Client ID session forces the server to disconnect the older connection. The legitimate client experiences a persistent denial-of-service condition and is repeatedly disconnected as long as the attacker maintains the colliding session.

System administrators must upgrade NATS-Server deployments to versions 2.11.15 or 2.12.5. These releases contain the necessary string verification checks and strict input parsing logic required to prevent identifier manipulation. Environments running the 2.12 release candidate series must upgrade to 2.12.6-RC.1.

If immediate patching is unfeasible, administrators should restrict network access to the MQTT listener port. Implementing strict firewall rules or utilizing mutual TLS ensures that only trusted clients can initiate connections. This mitigates the risk of external exploitation by unauthorized external actors.

Organizations should implement strict Client ID naming policies and leverage NATS Authorization Callouts. By validating the Client ID against an external identity provider during the connection phase, administrators enforce a strict one-to-one mapping between authenticated users and their authorized MQTT session identifiers.