CVE-2026-32696 in NanoMQ MQTT Broker
摘要 (英语)
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In NanoMQ version 0.24.6, after enabling auth.http_auth (HTTP authentication), when a client connects to the broker using MQTT CONNECT without providing username/password, and the configuration params uses the placeholders %u / %P (e.g., username="%u", password="%P"), the HTTP request construction phase enters auth_http.c:set_data(). This results in calling strlen() on a NULL pointer, causing a SIGSEGV crash. This crash can be triggered remotely, resulting in a denial of service. This issue has been patched in version 0.24.7.
负责
GitHub_M
预定
2026-03-13
披露
2026-03-30
条目
| 标识符 | 漏洞 | CWE | 基础 | 临时 | 0day | 今天 | 可利用 | KEV | EPSS | CTI | 对策 | CVE |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 354270 | NanoMQ MQTT Broker set_data 拒绝服务 | 476 | 3.1 | 3.0 | $0-$5k | 计算 | 未定义 | 0.00000 | 0.00 | 官方修复 | CVE-2026-32696 |