CVE-2026-32696 in NanoMQ MQTT Broker
요약 (영어)
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In NanoMQ version 0.24.6, after enabling auth.http_auth (HTTP authentication), when a client connects to the broker using MQTT CONNECT without providing username/password, and the configuration params uses the placeholders %u / %P (e.g., username="%u", password="%P"), the HTTP request construction phase enters auth_http.c:set_data(). This results in calling strlen() on a NULL pointer, causing a SIGSEGV crash. This crash can be triggered remotely, resulting in a denial of service. This issue has been patched in version 0.24.7.
책임이 있는
GitHub_M
예약하다
2026. 03. 13.
공개
2026. 03. 30.
엔트리
| 아이디 | 취약성 | CWE | 기본 | 임시 | 0day | 오늘 | 악용 | KEV | EPSS | CTI | 대책 | CVE |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 354270 | NanoMQ MQTT Broker set_data 서비스 거부 | 476 | 3.1 | 3.0 | $0-$5k | 계산 중 | 정의되지 않음 | 0.00000 | 0.00+ | 공식 수정 | CVE-2026-32696 |