Plattform
go
Komponente
nats-server
Behoben in
2.11.16
2.12.1
CVE-2026-33246 describes an information disclosure vulnerability within NATS-Server, a high-performance messaging system. This flaw allows unauthorized access to request information, potentially exposing account or user identification details. The vulnerability impacts versions of NATS-Server less than or equal to 2.12.0-RC.1 and versions before 2.12.6. A fix is available in version 2.11.15.
The vulnerability lies in the Nats-Request-Info message header, which is intended to provide information for client trust decisions. However, improper handling of this header can lead to the unintentional exposure of sensitive data, such as account or user identifiers. An attacker could exploit this by intercepting messages and extracting this information, potentially enabling them to impersonate users or gain unauthorized access to resources. While the description indicates that identity claims should not propagate unchecked, the lack of proper validation allows this information to be leaked. The blast radius is limited to the NATS-Server infrastructure and any clients relying on it for messaging.
CVE-2026-33246 was publicly disclosed on 2026-03-25. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. No public proof-of-concept (PoC) code has been released. The vulnerability's severity is rated as MEDIUM, suggesting a moderate probability of exploitation if left unaddressed.
Organizations heavily reliant on NATS-Server for inter-service communication, particularly those with sensitive data flowing through the messaging system, are at risk. Environments with older NATS-Server deployments (versions ≤ 2.12.0-RC.1 and < 2.12.6) are particularly vulnerable. Shared hosting environments utilizing NATS-Server should also be prioritized for patching.
• linux / server:
journalctl -u nats-server -g 'Nats-Request-Info'• generic web:
curl -I <nats_server_url> | grep 'Nats-Request-Info'disclosure
Exploit-Status
EPSS
0.03% (7% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33246 is to upgrade NATS-Server to version 2.11.15 or later. This version includes the necessary fixes to prevent the information disclosure. If immediate upgrade is not feasible, consider implementing stricter network segmentation to limit access to the NATS-Server. Additionally, review and restrict access to the NATS-Server based on the principle of least privilege. Monitor NATS-Server logs for any unusual activity or attempts to access sensitive information. After upgrading, confirm the fix by verifying that the Nats-Request-Info header no longer exposes sensitive account details.
Aktualisieren Sie nats-server auf Version 2.11.15 oder höher oder auf Version 2.12.6 oder höher, je nach Ihrer Versionsbranche. Dies behebt die Identitätsfälschungs-Schwachstelle in leafnode-Verbindungen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33246 is a medium severity vulnerability in NATS-Server affecting versions ≤ 2.12.0-RC.1 and < 2.12.6. It allows unauthorized access to request information, potentially exposing account details.
You are affected if you are running NATS-Server versions less than or equal to 2.12.0-RC.1 or versions before 2.12.6. Check your version and upgrade accordingly.
Upgrade NATS-Server to version 2.11.15 or later to resolve the vulnerability. Implement network segmentation as a temporary workaround if immediate upgrade is not possible.
There is currently no evidence of active exploitation of CVE-2026-33246, but it's crucial to apply the patch to prevent potential future attacks.
Refer to the official NATS-Server security advisories on the NATS.io website for detailed information and updates regarding CVE-2026-33246.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.