CVE-2026-33246: CWE-287: Improper Authentication in nats-io nats-server
CVE-2026-33246 is an improper authentication vulnerability in nats-io nats-server affecting versions prior to 2. 11. 15 and between 2. 12. 0-RC. 1 and before 2. 12. 6. The issue involves the Nats-Request-Info header, which is intended to provide identity information for requests. Clients relying on this header could be spoofed because identity claims propagated unchecked from leafnodes that are not fully trusted.
AI Analysis
Technical Summary
NATS-Server, a high-performance messaging server, exposes a vulnerability (CWE-287: Improper Authentication) in its handling of the Nats-Request-Info message header. This header is designed to convey request identity information to clients. However, prior to versions 2.11.15 and 2.12.6, clients relying on this header could be misled by spoofed identity claims because leafnodes connecting to the server are not fully trusted unless the system account is bridged. The vulnerability allows spoofing of identity information in the header, potentially misleading clients about the origin or trustworthiness of messages. The server itself is not directly compromised, but the impact depends on client behavior. The issue is resolved in versions 2.11.15 and 2.12.6.
Potential Impact
The vulnerability allows spoofing of the Nats-Request-Info header, which clients might use to make trust decisions. This could lead to clients accepting messages with falsified identity information, impacting confidentiality and integrity from the client perspective. The nats-server itself is not directly affected. The CVSS score is 6.4 (medium severity), reflecting the potential impact on client trust and message integrity. There are no known exploits in the wild.
Mitigation Recommendations
Fixed versions 2.11.15 and 2.12.6 of nats-server address this vulnerability. Users should upgrade to at least these versions to remediate the issue. No known workarounds are available. Since this is not a cloud service, remediation depends on user action to upgrade.
CVE-2026-33246: CWE-287: Improper Authentication in nats-io nats-server
Description
CVE-2026-33246 is an improper authentication vulnerability in nats-io nats-server affecting versions prior to 2. 11. 15 and between 2. 12. 0-RC. 1 and before 2. 12. 6. The issue involves the Nats-Request-Info header, which is intended to provide identity information for requests. Clients relying on this header could be spoofed because identity claims propagated unchecked from leafnodes that are not fully trusted.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
NATS-Server, a high-performance messaging server, exposes a vulnerability (CWE-287: Improper Authentication) in its handling of the Nats-Request-Info message header. This header is designed to convey request identity information to clients. However, prior to versions 2.11.15 and 2.12.6, clients relying on this header could be misled by spoofed identity claims because leafnodes connecting to the server are not fully trusted unless the system account is bridged. The vulnerability allows spoofing of identity information in the header, potentially misleading clients about the origin or trustworthiness of messages. The server itself is not directly compromised, but the impact depends on client behavior. The issue is resolved in versions 2.11.15 and 2.12.6.
Potential Impact
The vulnerability allows spoofing of the Nats-Request-Info header, which clients might use to make trust decisions. This could lead to clients accepting messages with falsified identity information, impacting confidentiality and integrity from the client perspective. The nats-server itself is not directly affected. The CVSS score is 6.4 (medium severity), reflecting the potential impact on client trust and message integrity. There are no known exploits in the wild.
Mitigation Recommendations
Fixed versions 2.11.15 and 2.12.6 of nats-server address this vulnerability. Users should upgrade to at least these versions to remediate the issue. No known workarounds are available. Since this is not a cloud service, remediation depends on user action to upgrade.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-18T02:42:27.509Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c43f15f4197a8e3b7dafee
Added to database: 3/25/2026, 8:01:25 PM
Last enriched: 4/3/2026, 1:15:07 PM
Last updated: 5/8/2026, 9:16:07 PM
Views: 67
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.