CVE-2026-33249
Received Received - Intake
Improper Access Control in NATS-Server Message Tracing

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33249
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation nats-server From 2.11.0 (inc) to 2.11.15 (exc)
linuxfoundation nats-server From 2.12.0 (inc) to 2.12.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows a valid client to redirect trace messages to subjects they are not authorized to publish to. While the trace message payload is not attacker-controlled, this unauthorized redirection can compromise the integrity of the messaging system.

The impact is limited to integrity issues, meaning that trace messages could be sent to unintended recipients or subjects, potentially causing confusion or misleading telemetry data.

There is no impact on confidentiality or availability, and no known workarounds exist. The issue was fixed in versions 2.11.15 and 2.12.6.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your nats-server to version 2.11.15 or later, or 2.12.6 or later, where the issue has been fixed.

No known workarounds are available, so applying the fixed versions is the recommended immediate step.

Executive Summary

CVE-2026-33249 is a moderate severity vulnerability in the NATS.io server, a high-performance open-source publish-subscribe distributed communication system. The issue exists in versions starting from 2.11.0 up to 2.11.14 and 2.12.5 and earlier. It arises from the message tracing feature that uses per-message NATS headers for telemetry.

A valid client using message tracing headers can redirect trace messages to any arbitrary valid subject, including those for which the client does not have publish permissions. The trace message payload itself is valid and not attacker-controlled, but this unauthorized redirection can lead to integrity issues.

The vulnerability requires low privileges (a valid client), has low attack complexity, and does not require user interaction. It does not impact confidentiality or availability but has a low impact on integrity.

Compliance Impact

The vulnerability in NATS-Server allows a valid client to redirect trace messages to arbitrary subjects without publish permission, causing a low integrity impact. However, the trace message payload is valid and not attacker-controlled, and there is no impact on confidentiality or availability.

Based on the provided information, there is no direct mention or indication that this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33249. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart