CVE-2026-33246
Received Received - Intake
Spoofing Vulnerability in NATS-Server Nats-Request-Info Header

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker. A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked. Prior to versions 2.11.15 and 2.12.6, NATS clients relying upon the Nats-Request-Info: header could be spoofed. This does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33246
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation nats-server From 2.12.0 (inc) to 2.12.6 (exc)
linuxfoundation nats-server to 2.11.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in the NATS-Server involves spoofing of identity information in the Nats-Request-Info header, which can mislead clients relying on this header for account or user identification.

This spoofing risk impacts confidentiality and integrity from the perspective of clients trusting the header information, which could potentially affect compliance with standards and regulations that require accurate identity verification and protection of sensitive data, such as GDPR and HIPAA.

However, the vulnerability does not directly compromise the nats-server itself, and no specific compliance impacts or regulatory violations are explicitly mentioned in the provided information.

Users are advised to upgrade to fixed versions to mitigate the risk.

Executive Summary

CVE-2026-33246 is a vulnerability in the NATS-Server, a high-performance messaging system used in cloud, on-premise, IoT, and edge computing environments. The issue involves the `Nats-Request-Info:` message header, which is designed to provide identity information about a request to help clients make trust decisions.

The vulnerability arises because leafnodes connecting to a nats-server are not fully trusted unless the system account is bridged. This means that identity claims propagated through the `Nats-Request-Info:` header can be spoofed by a malicious leafnode, misleading clients that rely on this header for identity verification.

While the nats-server itself is not directly compromised, clients trusting the header information may be deceived, affecting confidentiality and integrity from their perspective. The issue was fixed in versions 2.11.15 and 2.12.6.

Impact Analysis

This vulnerability can impact you if you use NATS clients that rely on the `Nats-Request-Info:` header for identity verification. A malicious leafnode could spoof identity information in this header, causing clients to make incorrect trust decisions.

The impact affects confidentiality and integrity at a low level, meaning sensitive information could be misrepresented or trusted messages could be spoofed, potentially leading to unauthorized actions or data exposure within the messaging system.

However, the nats-server itself is not directly compromised, and there is no impact on availability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your nats-server to a fixed version.

  • Upgrade to nats-server version 2.11.15 or later.
  • Alternatively, upgrade to nats-server version 2.12.6 or later.

No known workarounds are available, so applying the patch is the only effective mitigation.

Detection Guidance

There is no specific detection method or commands provided in the available resources for identifying this vulnerability on your network or system.

The vulnerability involves spoofing of the `Nats-Request-Info:` message header by malicious leafnodes in the nats-server environment. Detection would likely require monitoring or inspecting message headers for inconsistencies or unexpected identity claims, but no explicit detection commands or tools are mentioned.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33246. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart