Platform
go
Component
nats-server
Fixed in
2.11.16
2.12.1
CVE-2026-33246 describes an information disclosure vulnerability within NATS-Server, a high-performance messaging system. This flaw allows unauthorized access to request information, potentially exposing account or user identification details. The vulnerability impacts versions of NATS-Server less than or equal to 2.12.0-RC.1 and versions before 2.12.6. A fix is available in version 2.11.15.
The vulnerability lies in the Nats-Request-Info message header, which is intended to provide information for client trust decisions. However, improper handling of this header can lead to the unintentional exposure of sensitive data, such as account or user identifiers. An attacker could exploit this by intercepting messages and extracting this information, potentially enabling them to impersonate users or gain unauthorized access to resources. While the description indicates that identity claims should not propagate unchecked, the lack of proper validation allows this information to be leaked. The blast radius is limited to the NATS-Server infrastructure and any clients relying on it for messaging.
CVE-2026-33246 was publicly disclosed on 2026-03-25. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. No public proof-of-concept (PoC) code has been released. The vulnerability's severity is rated as MEDIUM, suggesting a moderate probability of exploitation if left unaddressed.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33246 is to upgrade NATS-Server to version 2.11.15 or later. This version includes the necessary fixes to prevent the information disclosure. If immediate upgrade is not feasible, consider implementing stricter network segmentation to limit access to the NATS-Server. Additionally, review and restrict access to the NATS-Server based on the principle of least privilege. Monitor NATS-Server logs for any unusual activity or attempts to access sensitive information. After upgrading, confirm the fix by verifying that the Nats-Request-Info header no longer exposes sensitive account details.
Update nats-server to version 2.11.15 or higher, or to version 2.12.6 or higher, as appropriate for your version branch. This corrects the identity spoofing vulnerability in leafnode connections.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33246 is a medium severity vulnerability in NATS-Server affecting versions ≤ 2.12.0-RC.1 and < 2.12.6. It allows unauthorized access to request information, potentially exposing account details.
You are affected if you are running NATS-Server versions less than or equal to 2.12.0-RC.1 or versions before 2.12.6. Check your version and upgrade accordingly.
Upgrade NATS-Server to version 2.11.15 or later to resolve the vulnerability. Implement network segmentation as a temporary workaround if immediate upgrade is not possible.
There is currently no evidence of active exploitation of CVE-2026-33246, but it's crucial to apply the patch to prevent potential future attacks.
Refer to the official NATS-Server security advisories on the NATS.io website for detailed information and updates regarding CVE-2026-33246.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.