{"id":"CVE-2026-32696","summary":"NanoMQ HTTP Auth: Missing username/password can trigger a NULL-pointer strlen() in auth_http.c:set_data(), causing a process crash — SIGSEGV, remotely triggerable","details":"NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In NanoMQ version 0.24.6, after enabling auth.http_auth (HTTP authentication), when a client connects to the broker using MQTT CONNECT without providing username/password, and the configuration params uses the placeholders %u / %P (e.g., username=\"%u\", password=\"%P\"), the HTTP request construction phase enters auth_http.c:set_data(). This results in calling strlen() on a NULL pointer, causing a SIGSEGV crash. This crash can be triggered remotely, resulting in a denial of service. This issue has been patched in version 0.24.7.","aliases":["GHSA-77f4-wvq8-mp3p"],"modified":"2026-04-12T20:14:04.642344Z","published":"2026-03-30T20:11:30.580Z","database_specific":{"cwe_ids":["CWE-476"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32696.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32696.json"},{"type":"FIX","url":"https://github.com/nanomq/NanoNNG/commit/c20aa27e5290bb480a5315099952480d35f37a8b"},{"type":"FIX","url":"https://github.com/nanomq/NanoNNG/pull/1394"},{"type":"WEB","url":"https://github.com/nanomq/nanomq/releases/tag/0.24.7"},{"type":"ADVISORY","url":"https://github.com/nanomq/nanomq/security/advisories/GHSA-77f4-wvq8-mp3p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32696"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nanomq/nanonng","events":[{"introduced":"ed3ca6fe91f341e72cbee0b13321dc9502c7c09c"},{"fixed":"89ac265ec2be8397aec05b383f03aad67189060e"}],"database_specific":{"versions":[{"introduced":"0.24.6"},{"fixed":"0.24.7"}]}}],"versions":["0.24.6"],"database_specific":{"vanir_signatures":[{"deprecated":false,"digest":{"line_hashes":["52844777112396057456275717574152334497","256922439940024442121487004700823563200","33430546955955752580482393956906191381","236497918345231191818893218802851037927","34218747060556881815855619959213094389","153774283386743343399310811795851874199","125330332525092710361108699802633065955","173878156555487118740790950504304142821","156786202179583432749733978334395569128"],"threshold":0.9},"id":"CVE-2026-32696-d5c74dd9","target":{"file":"src/sp/transport/mqttws/nmq_websocket.c"},"source":"https://github.com/nanomq/nanonng/commit/89ac265ec2be8397aec05b383f03aad67189060e","signature_version":"v1","signature_type":"Line"},{"deprecated":false,"digest":{"length":499,"function_hash":"318311335626546940215551707965025750098"},"id":"CVE-2026-32696-de2051b1","target":{"function":"wstran_pipe_send_cb","file":"src/sp/transport/mqttws/nmq_websocket.c"},"source":"https://github.com/nanomq/nanonng/commit/89ac265ec2be8397aec05b383f03aad67189060e","signature_version":"v1","signature_type":"Function"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32696.json","vanir_signatures_modified":"2026-04-12T20:14:04Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L"}]}