CVE-2026-33249

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions NATS-Server versions prior to 2.11.15 NATS-Server versions prior to 2.12.6

Description NATS-Server, a high-performance server for NATS.io, is affected by an issue where a valid client utilizing message tracing headers can direct trace messages to any valid subject, even those the client lacks publish permissions for. The message payload is a legitimate trace message and is not controlled by an attacker.

Recommendations Update NATS-Server to version 2.11.15 or later. Update NATS-Server to version 2.12.6 or later.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

BIT-NATS-2026-33249

CVE-2026-33249

GHSA-8M2X-3M6Q-6W8J

GO-2026-4826

SUSE-SU-2026:1135-1

Affected Products

Nats Server

CVE-2026-33249

Weakness Enumeration

Related Identifiers

Affected Products

References · 156