CVE-2026-33223

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

CVSS v3 6.4 MEDIUM

6.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.1 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://advisories.nats.io/CVE/secnote-2026-09.txt	Vendor Advisory
https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:linuxfoundation:nats-server::::::::
	cpe:2.3:a:linuxfoundation:nats-server::::::::

History

No history.

Information

Published : 2026-03-25 21:16

Updated : 2026-03-26 17:18

NVD link : CVE-2026-33223

Mitre link : CVE-2026-33223

CVE.ORG link : CVE-2026-33223

JSON object : View

Products Affected

linuxfoundation

nats-server

CWE

CWE-290

Authentication Bypass by Spoofing

{"id": "CVE-2026-33223", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2026-03-25T21:16:47.397", "references": [{"url": "https://advisories.nats.io/CVE/secnote-2026-09.txt", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-290"}]}], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available."}, {"lang": "es", "value": "NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajer\u00eda nativo de la nube y del borde. Antes de las versiones 2.11.15 y 2.12.6, la cabecera de mensaje de NATS 'Nats-Request-Info:' se supone que es una garant\u00eda de identidad por parte del servidor NATS, pero la eliminaci\u00f3n de esta cabecera de los mensajes entrantes no fue completamente efectiva. Un atacante con credenciales v\u00e1lidas para cualquier interfaz de cliente regular podr\u00eda as\u00ed suplantar su identidad a servicios que dependen de esta cabecera. Las versiones 2.11.15 y 2.12.6 contienen una soluci\u00f3n. No hay soluciones alternativas conocidas disponibles."}], "lastModified": "2026-03-26T17:18:04.750", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C", "versionEndExcluding": "2.11.15"}, {"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154", "versionEndExcluding": "2.12.6", "versionStartIncluding": "2.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}