CVE-2026-33246 in nats-server
Summary
by MITRE • 03/25/2026
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker. A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked. Prior to versions 2.11.15 and 2.12.6, NATS clients relying upon the Nats-Request-Info: header could be spoofed. This does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/01/2026
The vulnerability described in CVE-2026-33246 affects NATS-Server versions prior to 2.11.15 and 2.12.6, representing a significant security flaw in the NATS.io messaging system that impacts the integrity and confidentiality of message processing within distributed environments. This issue specifically relates to the Nats-Request-Info: message header functionality that was designed to provide identity information about requests, enabling clients to make trust decisions based on account and user identification. The vulnerability stems from insufficient validation of identity claims contained within this header, creating a potential attack vector where malicious actors could manipulate request information to deceive clients into trusting fraudulent messages.
The technical flaw manifests in the improper handling of the Nats-Request-Info: header, which was intended to provide legitimate identity information for trust decisions but could be exploited to spoof identity claims. This vulnerability operates at the application layer within the messaging infrastructure, specifically affecting how leafnode connections interact with the server and process identity information. The flaw represents a weakness in access control and identity verification mechanisms, classified under CWE-284 Access Control Issues, where the system fails to properly validate the authenticity of identity claims that are propagated through message headers. The vulnerability's impact extends beyond the immediate server functionality to affect downstream client trust decisions, creating a chain reaction where compromised identity information could lead to unauthorized access or data manipulation.
From an operational perspective, this vulnerability creates a serious risk for systems relying on NATS-Server for secure messaging, particularly in cloud and edge computing environments where trust relationships are critical. The CVSS scoring reflects potential confidentiality and integrity impacts based on how clients might interpret and act upon the spoofed identity information, though the actual server remains unaffected. Attackers could exploit this vulnerability to perform man-in-the-middle attacks, manipulate trust relationships, or gain unauthorized access to systems that rely on the identity claims provided through the Nats-Request-Info: header. The vulnerability affects the core messaging infrastructure and could lead to unauthorized data access, message tampering, or privilege escalation within systems that trust the spoofed identity information.
The mitigation strategy requires immediate deployment of NATS-Server versions 2.11.15 and 2.12.6, which contain the necessary fixes to properly validate identity claims within the Nats-Request-Info: header. Organizations should implement comprehensive monitoring to detect any potential exploitation attempts and ensure all NATS components are updated to the patched versions. Due to the nature of this vulnerability, there are no known workarounds available, making the update process critical for maintaining system security. The fix addresses the root cause by implementing proper validation mechanisms for identity claims and ensuring that untrusted leafnode connections cannot propagate spoofed identity information that would otherwise be accepted by clients. This vulnerability aligns with ATT&CK technique T1566 Credential Stuffing and T1078 Valid Accounts, as it exploits trust relationships within the messaging system to manipulate identity claims and potentially gain unauthorized access to resources.