CVE-2026-33249

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://advisories.nats.io/CVE/secnote-2026-15.txt	Vendor Advisory
https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:linuxfoundation:nats-server::::::::
	cpe:2.3:a:linuxfoundation:nats-server::::::::

History

No history.

Information

Published : 2026-03-25 21:16

Updated : 2026-03-26 16:20

NVD link : CVE-2026-33249

Mitre link : CVE-2026-33249

CVE.ORG link : CVE-2026-33249

JSON object : View

Products Affected

linuxfoundation

nats-server

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-33249", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-03-25T21:16:47.737", "references": [{"url": "https://advisories.nats.io/CVE/secnote-2026-15.txt", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available."}, {"lang": "es", "value": "NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajer\u00eda nativo de la nube y del borde. A partir de la versi\u00f3n 2.11.0 y antes de las versiones 2.11.15 y 2.12.6, un cliente v\u00e1lido que utiliza encabezados de rastreo de mensajes puede indicar que los mensajes de rastreo pueden enviarse a un asunto v\u00e1lido arbitrario, incluidos aquellos para los que el cliente no tiene permiso de publicaci\u00f3n. La carga \u00fatil es un mensaje de rastreo v\u00e1lido y no es elegido por el atacante. Las versiones 2.11.15 y 2.12.6 contienen una correcci\u00f3n. No hay soluciones alternativas conocidas disponibles."}], "lastModified": "2026-03-26T16:20:55.100", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "04A14239-FB32-4FD3-8B45-BDE015A7F721", "versionEndExcluding": "2.11.15", "versionStartIncluding": "2.11.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154", "versionEndExcluding": "2.12.6", "versionStartIncluding": "2.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}