CVE-2026-33249
Improper Access Control in NATS-Server Message Tracing
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | nats-server | From 2.11.0 (inc) to 2.11.15 (exc) |
| linuxfoundation | nats-server | From 2.12.0 (inc) to 2.12.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows a valid client to redirect trace messages to subjects they are not authorized to publish to. While the trace message payload is not attacker-controlled, this unauthorized redirection can compromise the integrity of the messaging system.
The impact is limited to integrity issues, meaning that trace messages could be sent to unintended recipients or subjects, potentially causing confusion or misleading telemetry data.
There is no impact on confidentiality or availability, and no known workarounds exist. The issue was fixed in versions 2.11.15 and 2.12.6.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your nats-server to version 2.11.15 or later, or 2.12.6 or later, where the issue has been fixed.
No known workarounds are available, so applying the fixed versions is the recommended immediate step.
Can you explain this vulnerability to me?
CVE-2026-33249 is a moderate severity vulnerability in the NATS.io server, a high-performance open-source publish-subscribe distributed communication system. The issue exists in versions starting from 2.11.0 up to 2.11.14 and 2.12.5 and earlier. It arises from the message tracing feature that uses per-message NATS headers for telemetry.
A valid client using message tracing headers can redirect trace messages to any arbitrary valid subject, including those for which the client does not have publish permissions. The trace message payload itself is valid and not attacker-controlled, but this unauthorized redirection can lead to integrity issues.
The vulnerability requires low privileges (a valid client), has low attack complexity, and does not require user interaction. It does not impact confidentiality or availability but has a low impact on integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in NATS-Server allows a valid client to redirect trace messages to arbitrary subjects without publish permission, causing a low integrity impact. However, the trace message payload is valid and not attacker-controlled, and there is no impact on confidentiality or availability.
Based on the provided information, there is no direct mention or indication that this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.