NATS: Message tracing can be redirected to arbitrary subject

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

Basic Information

ID CVE-2026-33249

Source GitHub_M

Published Mar 25, 2026 at 20:21

Modified Mar 26, 2026 at 19:52

Affected Product

Vendor nats-io

Product nats-server

Version >= 2.11.0, < 2.11.15

Affected Versions nats-io nats-server >= 2.11.0, < 2.11.15
nats-io nats-server >= 2.12.0-preview.1, < 2.12.6

CWE Classification

CWE-863

References

{
    "lastseen": "",
    "description": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.",
    "published": "2026-03-25T20:21:30.156Z",
    "modified": "2026-03-26T19:52:12.206Z",
    "type": "cve",
    "title": "NATS: Message tracing can be redirected to arbitrary subject",
    "source": "GitHub_M",
    "references": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j\nhttps://advisories.nats.io/CVE/secnote-2026-15.txt",
    "id": "CVE-2026-33249",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "nats-io nats-server >= 2.11.0, < 2.11.15\nnats-io nats-server >= 2.12.0-preview.1, < 2.12.6",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "nats-server",
    "version": ">= 2.11.0, < 2.11.15",
    "vendor": "nats-io",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

NATS: Message tracing can be redirected to arbitrary subject_CVE-2026-33249