CVE-2026-33247
Information Disclosure via argv Exposure in NATS-Server Monitoring Endpoint
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | nats-server | From 2.12.0 (inc) to 2.12.6 (exc) |
| linuxfoundation | nats-server | to 2.11.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-215 | The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33247 is a vulnerability in the nats-server, a high-performance messaging system used in cloud, on-premise, IoT, and edge computing environments.
The issue occurs when the nats-server is started with static client credentials passed via command-line arguments (argv) instead of a configuration file.
If the optional monitoring port is enabled, the /debug/vars endpoint exposes an unredacted copy of the command-line arguments, including sensitive credentials.
This means any user who can access the monitoring port can see these credentials.
The vulnerability affects all nats-server versions prior to 2.11.15 and 2.12.6, where it has been fixed.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of sensitive client credentials to unauthorized users who have access to the monitoring port.
An attacker with access to these credentials could compromise the confidentiality and integrity of the messaging system.
Since no privileges or user interaction are required to exploit this vulnerability, it poses a significant risk if the monitoring port is exposed to untrusted networks or the Internet.
However, there is no impact on availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the nats-server is running with static client credentials passed via command-line arguments (argv) and if the monitoring port is enabled.
You can verify if the monitoring port is enabled and accessible by attempting to access the /debug/vars endpoint on the monitoring port, which exposes the command-line arguments including sensitive credentials.
Suggested commands include using network tools like curl or wget to query the monitoring endpoint, for example:
- curl http://<nats-server-host>:<monitoring-port>/debug/vars
- wget -qO- http://<nats-server-host>:<monitoring-port>/debug/vars
If the output contains unredacted command-line arguments including credentials, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Avoid passing client credentials via command-line arguments (argv). Instead, configure credentials inside a configuration file.
- Do not enable the monitoring port if you must use static credentials passed via argv.
- Restrict access to the monitoring port to trusted networks only and never expose it to the Internet or untrusted sources.
- Upgrade nats-server to versions 2.11.15 or 2.12.6 or later, where this vulnerability is fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes static client credentials via the monitoring port if credentials are passed through command-line arguments, potentially allowing unauthorized access to sensitive information.
Such exposure of sensitive credentials can lead to violations of data protection standards and regulations like GDPR and HIPAA, which require safeguarding of confidential information and access controls to prevent unauthorized disclosure.
Mitigations such as configuring credentials in configuration files instead of argv, disabling the monitoring port when secrets are used in argv, and restricting monitoring port access to trusted networks help reduce the risk of non-compliance.