MEDIUMCVE-2026-33246CVSS 6.4

NATS: Leafnode 连接允许伪造 Nats-Request-Info 身份头信息

Q: What is CVE-2026-33246 — Information Disclosure in NATS-Server?

CVE-2026-33246 is a medium severity vulnerability in NATS-Server affecting versions ≤ 2.12.0-RC.1 and < 2.12.6. It allows unauthorized access to request information, potentially exposing account details.

Q: Am I affected by CVE-2026-33246 in NATS-Server?

You are affected if you are running NATS-Server versions less than or equal to 2.12.0-RC.1 or versions before 2.12.6. Check your version and upgrade accordingly.

Q: How do I fix CVE-2026-33246 in NATS-Server?

Upgrade NATS-Server to version 2.11.15 or later to resolve the vulnerability. Implement network segmentation as a temporary workaround if immediate upgrade is not possible.

Q: Is CVE-2026-33246 being actively exploited?

There is currently no evidence of active exploitation of CVE-2026-33246, but it's crucial to apply the patch to prevent potential future attacks.

Q: Where can I find the official NATS-Server advisory for CVE-2026-33246?

Refer to the official NATS-Server security advisories on the NATS.io website for detailed information and updates regarding CVE-2026-33246.

平台

组件

nats-server

修复版本

2.11.16

2.12.1

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2026-33246 describes an information disclosure vulnerability within NATS-Server, a high-performance messaging system. This flaw allows unauthorized access to request information, potentially exposing account or user identification details. The vulnerability impacts versions of NATS-Server less than or equal to 2.12.0-RC.1 and versions before 2.12.6. A fix is available in version 2.11.15.

检测此 CVE 是否影响你的项目

上传你的 go.mod 文件，立即知道是否受影响。

上传 go.mod

影响与攻击场景翻译中…

The vulnerability lies in the Nats-Request-Info message header, which is intended to provide information for client trust decisions. However, improper handling of this header can lead to the unintentional exposure of sensitive data, such as account or user identifiers. An attacker could exploit this by intercepting messages and extracting this information, potentially enabling them to impersonate users or gain unauthorized access to resources. While the description indicates that identity claims should not propagate unchecked, the lack of proper validation allows this information to be leaked. The blast radius is limited to the NATS-Server infrastructure and any clients relying on it for messaging.

利用背景翻译中…

CVE-2026-33246 was publicly disclosed on 2026-03-25. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. No public proof-of-concept (PoC) code has been released. The vulnerability's severity is rated as MEDIUM, suggesting a moderate probability of exploitation if left unaddressed.

哪些人处于风险中翻译中…

Organizations heavily reliant on NATS-Server for inter-service communication, particularly those with sensitive data flowing through the messaging system, are at risk. Environments with older NATS-Server deployments (versions ≤ 2.12.0-RC.1 and < 2.12.6) are particularly vulnerable. Shared hosting environments utilizing NATS-Server should also be prioritized for patching.

检测步骤翻译中…

• linux / server:

journalctl -u nats-server -g 'Nats-Request-Info'

• generic web:

curl -I <nats_server_url> | grep 'Nats-Request-Info'

攻击时间线

2026-03-25Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

报告1 份威胁报告

EPSS

0.03% (7% 百分位)

CISA SSVC

利用情况none

可自动化no

技术影响partial

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 低 — 任何有效用户账户均可。
User Interaction: 无 — 攻击自动且无声，受害者无需任何操作。
Scope: 已改变 — 攻击可以超出脆弱组件，影响其他系统。
Confidentiality: 低 — 可访问部分数据。
Integrity: 低 — 攻击者可修改部分数据，影响有限。
Availability: 无 — 无可用性影响。

受影响的软件

组件nats-server

供应商nats-io

影响范围修复版本

< 2.11.15 – < 2.11.152.11.16

>= 2.12.0-RC.1, < 2.12.6 – >= 2.12.0-RC.1, < 2.12.62.12.1

弱点分类 (CWE)

CWE-287 CWE-290

时间线

已保留2026-03-18
发布日期2026-03-25
修改日期2026-03-28
EPSS 更新日期2026-04-02

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-33246 is to upgrade NATS-Server to version 2.11.15 or later. This version includes the necessary fixes to prevent the information disclosure. If immediate upgrade is not feasible, consider implementing stricter network segmentation to limit access to the NATS-Server. Additionally, review and restrict access to the NATS-Server based on the principle of least privilege. Monitor NATS-Server logs for any unusual activity or attempts to access sensitive information. After upgrading, confirm the fix by verifying that the Nats-Request-Info header no longer exposes sensitive account details.

修复方法

将 nats-server 更新到 2.11.15 或更高版本，或 2.12.6 或更高版本，具体取决于您的版本分支。这修复了 leafnode 连接中的身份伪造漏洞。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2026-33246 — Information Disclosure in NATS-Server?

CVE-2026-33246 is a medium severity vulnerability in NATS-Server affecting versions ≤ 2.12.0-RC.1 and < 2.12.6. It allows unauthorized access to request information, potentially exposing account details.

Am I affected by CVE-2026-33246 in NATS-Server?

You are affected if you are running NATS-Server versions less than or equal to 2.12.0-RC.1 or versions before 2.12.6. Check your version and upgrade accordingly.

How do I fix CVE-2026-33246 in NATS-Server?

Upgrade NATS-Server to version 2.11.15 or later to resolve the vulnerability. Implement network segmentation as a temporary workaround if immediate upgrade is not possible.

Is CVE-2026-33246 being actively exploited?

There is currently no evidence of active exploitation of CVE-2026-33246, but it's crucial to apply the patch to prevent potential future attacks.

Where can I find the official NATS-Server advisory for CVE-2026-33246?

Refer to the official NATS-Server security advisories on the NATS.io website for detailed information and updates regarding CVE-2026-33246.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE