CVE-2026-33247
Received Received - Intake
Information Disclosure via argv Exposure in NATS-Server Monitoring Endpoint

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33247
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation nats-server From 2.12.0 (inc) to 2.12.6 (exc)
linuxfoundation nats-server to 2.11.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-215 The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33247 is a vulnerability in the nats-server, a high-performance messaging system used in cloud, on-premise, IoT, and edge computing environments.

The issue occurs when the nats-server is started with static client credentials passed via command-line arguments (argv) instead of a configuration file.

If the optional monitoring port is enabled, the /debug/vars endpoint exposes an unredacted copy of the command-line arguments, including sensitive credentials.

This means any user who can access the monitoring port can see these credentials.

The vulnerability affects all nats-server versions prior to 2.11.15 and 2.12.6, where it has been fixed.

Impact Analysis

This vulnerability can lead to the exposure of sensitive client credentials to unauthorized users who have access to the monitoring port.

An attacker with access to these credentials could compromise the confidentiality and integrity of the messaging system.

Since no privileges or user interaction are required to exploit this vulnerability, it poses a significant risk if the monitoring port is exposed to untrusted networks or the Internet.

However, there is no impact on availability.

Detection Guidance

This vulnerability can be detected by checking if the nats-server is running with static client credentials passed via command-line arguments (argv) and if the monitoring port is enabled.

You can verify if the monitoring port is enabled and accessible by attempting to access the /debug/vars endpoint on the monitoring port, which exposes the command-line arguments including sensitive credentials.

Suggested commands include using network tools like curl or wget to query the monitoring endpoint, for example:

  • curl http://<nats-server-host>:<monitoring-port>/debug/vars
  • wget -qO- http://<nats-server-host>:<monitoring-port>/debug/vars

If the output contains unredacted command-line arguments including credentials, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include:

  • Avoid passing client credentials via command-line arguments (argv). Instead, configure credentials inside a configuration file.
  • Do not enable the monitoring port if you must use static credentials passed via argv.
  • Restrict access to the monitoring port to trusted networks only and never expose it to the Internet or untrusted sources.
  • Upgrade nats-server to versions 2.11.15 or 2.12.6 or later, where this vulnerability is fixed.
Compliance Impact

This vulnerability exposes static client credentials via the monitoring port if credentials are passed through command-line arguments, potentially allowing unauthorized access to sensitive information.

Such exposure of sensitive credentials can lead to violations of data protection standards and regulations like GDPR and HIPAA, which require safeguarding of confidential information and access controls to prevent unauthorized disclosure.

Mitigations such as configuring credentials in configuration files instead of argv, disabling the monitoring port when secrets are used in argv, and restricting monitoring port access to trusted networks help reduce the risk of non-compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33247. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart