CVE-2026-33246 (GCVE-0-2026-33246)

Vulnerability from cvelistv5 – Published: 2026-03-25 19:50 – Updated: 2026-03-28 01:42
VLAI?
Title
NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers
Summary
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker. A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked. Prior to versions 2.11.15 and 2.12.6, NATS clients relying upon the Nats-Request-Info: header could be spoofed. This does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
Severity ?
6.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE
  • CWE-287 - Improper Authentication
  • CWE-290 - Authentication Bypass by Spoofing
Assigner
References
Impacted products
Vendor Product Version
nats-io nats-server Affected: < 2.11.15
Affected: >= 2.12.0-RC.1, < 2.12.6
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33246",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-28T01:39:39.361826Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-28T01:42:55.527Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nats-server",
          "vendor": "nats-io",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.11.15"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.12.0-RC.1, \u003c 2.12.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker. A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked. Prior to versions 2.11.15 and 2.12.6, NATS clients relying upon the Nats-Request-Info: header could be spoofed. This does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290: Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T19:50:03.453Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-55h8-8g96-x4hj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-55h8-8g96-x4hj"
        },
        {
          "name": "https://advisories.nats.io/CVE/secnote-2026-08.txt",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://advisories.nats.io/CVE/secnote-2026-08.txt"
        }
      ],
      "source": {
        "advisory": "GHSA-55h8-8g96-x4hj",
        "discovery": "UNKNOWN"
      },
      "title": "NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33246",
    "datePublished": "2026-03-25T19:50:03.453Z",
    "dateReserved": "2026-03-18T02:42:27.509Z",
    "dateUpdated": "2026-03-28T01:42:55.527Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33246\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-25T20:16:33.010\",\"lastModified\":\"2026-03-26T17:16:21.447\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker. A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked. Prior to versions 2.11.15 and 2.12.6, NATS clients relying upon the Nats-Request-Info: header could be spoofed. This does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.\"},{\"lang\":\"es\",\"value\":\"NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajer\u00eda nativo de la nube y del borde. El nats-server ofrece un encabezado de mensaje \u0027Nats-Request-Info:\u0027, que proporciona informaci\u00f3n sobre una solicitud. Se supone que esto proporciona suficiente informaci\u00f3n para permitir la identificaci\u00f3n de cuenta/usuario, de modo que los clientes NATS puedan tomar sus propias decisiones sobre c\u00f3mo confiar en un mensaje, siempre que conf\u00eden en el nats-server como un intermediario. Un nodo hoja que se conecta a un nats-server no es completamente confiable a menos que la cuenta del sistema tambi\u00e9n est\u00e9 interconectada. Por lo tanto, las afirmaciones de identidad no deber\u00edan haberse propagado sin verificar. Antes de las versiones 2.11.15 y 2.12.6, los clientes NATS que depend\u00edan del encabezado \u0027Nats-Request-Info:\u0027 pod\u00edan ser suplantados. Esto no afecta directamente al nats-server en s\u00ed, pero las puntuaciones de Confidencialidad e Integridad de CVSS se basan en lo que un cliente hipot\u00e9tico podr\u00eda decidir hacer con este encabezado NATS. Las versiones 2.11.15 y 2.12.6 contienen una soluci\u00f3n. No hay soluciones alternativas conocidas disponibles.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"},{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.11.15\",\"matchCriteriaId\":\"13EA156E-2759-4586-A22E-CDEAAD4D610C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.12.0\",\"versionEndExcluding\":\"2.12.6\",\"matchCriteriaId\":\"4E347CFB-C56D-4FD8-8DD8-3D34C08D7154\"}]}]}],\"references\":[{\"url\":\"https://advisories.nats.io/CVE/secnote-2026-08.txt\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/nats-io/nats-server/security/advisories/GHSA-55h8-8g96-x4hj\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33246\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-28T01:39:39.361826Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-28T01:41:07.306Z\"}}], \"cna\": {\"title\": \"NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers\", \"source\": {\"advisory\": \"GHSA-55h8-8g96-x4hj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"nats-io\", \"product\": \"nats-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.11.15\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.12.0-RC.1, \u003c 2.12.6\"}]}], \"references\": [{\"url\": \"https://github.com/nats-io/nats-server/security/advisories/GHSA-55h8-8g96-x4hj\", \"name\": \"https://github.com/nats-io/nats-server/security/advisories/GHSA-55h8-8g96-x4hj\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://advisories.nats.io/CVE/secnote-2026-08.txt\", \"name\": \"https://advisories.nats.io/CVE/secnote-2026-08.txt\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker. A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked. Prior to versions 2.11.15 and 2.12.6, NATS clients relying upon the Nats-Request-Info: header could be spoofed. This does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-290\", \"description\": \"CWE-290: Authentication Bypass by Spoofing\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-25T19:50:03.453Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33246\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-28T01:42:55.527Z\", \"dateReserved\": \"2026-03-18T02:42:27.509Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-25T19:50:03.453Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.