CVE-2026-33246

CVSS v3.1

6.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions NATS-Server versions prior to 2.11.15 NATS-Server versions prior to 2.12.6

Description NATS-Server provides a Nats-Request-Info: message header intended for account or user identification, allowing clients to make trust decisions based on information from the server. A leafnode connecting to a NATS-Server is not fully trusted unless the system account is bridged. Consequently, identity claims should not be propagated without verification. Prior to versions 2.11.15 and 2.12.6, the Nats-Request-Info: header could be spoofed, potentially impacting clients relying on this header for trust decisions. This issue does not directly affect the NATS-Server itself.

Recommendations Update NATS-Server to version 2.11.15 or later. Update NATS-Server to version 2.12.6 or later.

Exploit

Fix

Improper Authentication

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-290

Related Identifiers

BIT-NATS-2026-33246

CVE-2026-33246

GHSA-55H8-8G96-X4HJ

GO-2026-4830

SUSE-SU-2026:1135-1

Affected Products

Nats Server

CVE-2026-33246

Weakness Enumeration

Related Identifiers

Affected Products

References · 156