CVE-2026-33246
Spoofing Vulnerability in NATS-Server Nats-Request-Info Header
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | nats-server | From 2.12.0 (inc) to 2.12.6 (exc) |
| linuxfoundation | nats-server | to 2.11.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33246 is a vulnerability in the NATS-Server, a high-performance messaging system used in cloud, on-premise, IoT, and edge computing environments. The issue involves the `Nats-Request-Info:` message header, which is designed to provide identity information about a request to help clients make trust decisions.
The vulnerability arises because leafnodes connecting to a nats-server are not fully trusted unless the system account is bridged. This means that identity claims propagated through the `Nats-Request-Info:` header can be spoofed by a malicious leafnode, misleading clients that rely on this header for identity verification.
While the nats-server itself is not directly compromised, clients trusting the header information may be deceived, affecting confidentiality and integrity from their perspective. The issue was fixed in versions 2.11.15 and 2.12.6.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the NATS-Server involves spoofing of identity information in the Nats-Request-Info header, which can mislead clients relying on this header for account or user identification.
This spoofing risk impacts confidentiality and integrity from the perspective of clients trusting the header information, which could potentially affect compliance with standards and regulations that require accurate identity verification and protection of sensitive data, such as GDPR and HIPAA.
However, the vulnerability does not directly compromise the nats-server itself, and no specific compliance impacts or regulatory violations are explicitly mentioned in the provided information.
Users are advised to upgrade to fixed versions to mitigate the risk.
How can this vulnerability impact me? :
This vulnerability can impact you if you use NATS clients that rely on the `Nats-Request-Info:` header for identity verification. A malicious leafnode could spoof identity information in this header, causing clients to make incorrect trust decisions.
The impact affects confidentiality and integrity at a low level, meaning sensitive information could be misrepresented or trusted messages could be spoofed, potentially leading to unauthorized actions or data exposure within the messaging system.
However, the nats-server itself is not directly compromised, and there is no impact on availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your nats-server to a fixed version.
- Upgrade to nats-server version 2.11.15 or later.
- Alternatively, upgrade to nats-server version 2.12.6 or later.
No known workarounds are available, so applying the patch is the only effective mitigation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific detection method or commands provided in the available resources for identifying this vulnerability on your network or system.
The vulnerability involves spoofing of the `Nats-Request-Info:` message header by malicious leafnodes in the nats-server environment. Detection would likely require monitoring or inspecting message headers for inconsistencies or unexpected identity claims, but no explicit detection commands or tools are mentioned.