CVE-2026-32696 in NanoMQ MQTT Broker
Sumário (Inglês)
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In NanoMQ version 0.24.6, after enabling auth.http_auth (HTTP authentication), when a client connects to the broker using MQTT CONNECT without providing username/password, and the configuration params uses the placeholders %u / %P (e.g., username="%u", password="%P"), the HTTP request construction phase enters auth_http.c:set_data(). This results in calling strlen() on a NULL pointer, causing a SIGSEGV crash. This crash can be triggered remotely, resulting in a denial of service. This issue has been patched in version 0.24.7.
Responsável
GitHub_M
Reservar
13/03/2026
Divulgação
30/03/2026
Inscrições
| ID | Vulnerabilidade | CWE | Exp | Con | CVE |
|---|---|---|---|---|---|
| 354270 | NanoMQ MQTT Broker set_data Negação de Serviço | 476 | Não definido | Correção oficial | CVE-2026-32696 |