Nixpkgs security tracker

Untriaged

Permalink CVE-2026-32696

3.1 LOW

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): LOW

created 2 weeks, 4 days ago

NanoMQ HTTP Auth: Missing username/password can trigger a NULL-pointer strlen() in auth_http.c:set_data(), causing a process crash — SIGSEGV, remotely triggerable

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In NanoMQ version 0.24.6, after enabling auth.http_auth (HTTP authentication), when a client connects to the broker using MQTT CONNECT without providing username/password, and the configuration params uses the placeholders %u / %P (e.g., username="%u", password="%P"), the HTTP request construction phase enters auth_http.c:set_data(). This results in calling strlen() on a NULL pointer, causing a SIGSEGV crash. This crash can be triggered remotely, resulting in a denial of service. This issue has been patched in version 0.24.7.

References

https://github.com/nanomq/nanomq/security/advisories/GHSA-77f4-wvq8-mp3p x_refsource_CONFIRM
https://github.com/nanomq/NanoNNG/pull/1394 x_refsource_MISC
https://github.com/nanomq/NanoNNG/commit/c20aa27e5290bb480a5315099952480d35f37a8b x_refsource_MISC
https://github.com/nanomq/nanomq/releases/tag/0.24.7 x_refsource_MISC

Affected products

nanomq

==>= 0.24.6, < 0.24.7

Matching in nixpkgs

pkgs.nanomq

Ultra-lightweight and blazing-fast MQTT broker for IoT edge

nixos-unstable 0.24.11
- nixpkgs-unstable 0.24.11
- nixos-unstable-small 0.24.11
nixos-25.11 0.24.10
- nixos-25.11-small 0.24.10
- nixpkgs-25.11-darwin 0.24.10

Package maintainers

@sikmir Nikolay Korotkiy <sikmir@disroot.org>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.nanomq

Package maintainers