Scan free
MEDIUMCVE-2026-33246CVSS 6.4

CVE-2026-33246: Information Disclosure in NATS-Server

Platform

go

Component

nats-server

Fixed in

2.11.16

2.12.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-33246 describes an information disclosure vulnerability within NATS-Server, a high-performance messaging system. This flaw allows unauthorized access to request information, potentially exposing account or user identification details. The vulnerability impacts versions of NATS-Server less than or equal to 2.12.0-RC.1 and versions before 2.12.6. A fix is available in version 2.11.15.

Go

Detect this CVE in your project

Upload your go.mod file and we'll tell you instantly if you're affected.

Upload go.mod

Impact and Attack Scenarios

The vulnerability lies in the Nats-Request-Info message header, which is intended to provide information for client trust decisions. However, improper handling of this header can lead to the unintentional exposure of sensitive data, such as account or user identifiers. An attacker could exploit this by intercepting messages and extracting this information, potentially enabling them to impersonate users or gain unauthorized access to resources. While the description indicates that identity claims should not propagate unchecked, the lack of proper validation allows this information to be leaked. The blast radius is limited to the NATS-Server infrastructure and any clients relying on it for messaging.

Exploitation Context

CVE-2026-33246 was publicly disclosed on 2026-03-25. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. No public proof-of-concept (PoC) code has been released. The vulnerability's severity is rated as MEDIUM, suggesting a moderate probability of exploitation if left unaddressed.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.03% (7% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N6.4MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentnats-server
Vendornats-io
Affected rangeFixed in
< 2.11.15 – < 2.11.152.11.16
>= 2.12.0-RC.1, < 2.12.6 – >= 2.12.0-RC.1, < 2.12.62.12.1

Weakness Classification (CWE)

CWE-287CWE-290

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-33246 is to upgrade NATS-Server to version 2.11.15 or later. This version includes the necessary fixes to prevent the information disclosure. If immediate upgrade is not feasible, consider implementing stricter network segmentation to limit access to the NATS-Server. Additionally, review and restrict access to the NATS-Server based on the principle of least privilege. Monitor NATS-Server logs for any unusual activity or attempts to access sensitive information. After upgrading, confirm the fix by verifying that the Nats-Request-Info header no longer exposes sensitive account details.

How to fix

Update nats-server to version 2.11.15 or higher, or to version 2.12.6 or higher, as appropriate for your version branch. This corrects the identity spoofing vulnerability in leafnode connections.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-33246 — Information Disclosure in NATS-Server?

CVE-2026-33246 is a medium severity vulnerability in NATS-Server affecting versions ≤ 2.12.0-RC.1 and < 2.12.6. It allows unauthorized access to request information, potentially exposing account details.

Am I affected by CVE-2026-33246 in NATS-Server?

You are affected if you are running NATS-Server versions less than or equal to 2.12.0-RC.1 or versions before 2.12.6. Check your version and upgrade accordingly.

How do I fix CVE-2026-33246 in NATS-Server?

Upgrade NATS-Server to version 2.11.15 or later to resolve the vulnerability. Implement network segmentation as a temporary workaround if immediate upgrade is not possible.

Is CVE-2026-33246 being actively exploited?

There is currently no evidence of active exploitation of CVE-2026-33246, but it's crucial to apply the patch to prevent potential future attacks.

Where can I find the official NATS-Server advisory for CVE-2026-33246?

Refer to the official NATS-Server security advisories on the NATS.io website for detailed information and updates regarding CVE-2026-33246.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs