Skip to main content

Red Hat CVE-2026-33223

MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2026-03-24 https://github.com/nats-io/nats-server
6.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.4 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 24, 2026 - 22:01 vuln.today
CVE Published
Mar 24, 2026 - 21:50 nvd
MEDIUM 6.4

DescriptionGitHub Advisory

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server offers a Nats-Request-Info: message header, providing information about a request.

Problem Description

The NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.

An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

AnalysisAI

NATS-server versions prior to v2.12.6 or v2.11.15 contain an authentication bypass vulnerability where the Nats-Request-Info message header, intended to guarantee request identity, is not fully stripped from inbound client messages. An attacker with valid credentials to any regular client interface can spoof their identity to downstream services that rely on this header for authorization decisions, potentially leading to unauthorized access or impersonation. While no confirmed active exploitation or public proof-of-concept is documented, the low attack complexity and low privilege requirements (any authenticated user) combined with the CVSS 6.4 score indicate moderate real-world risk, particularly in environments where message header-based identity verification is critical.

Technical ContextAI

NATS.io is a high-performance open-source publish-subscribe messaging system designed for cloud, on-premises, IoT, and edge computing architectures. The vulnerability affects the Go implementation (pkg:go/github.com_nats-io_nats-server_v2) and relates to the nats-server's handling of the Nats-Request-Info header, which is a metadata field transmitted with requests to communicate sender identity and context through the NATS broker. The root cause is classified under CWE-290 (Authentication Bypass by Spoofing), stemming from incomplete header sanitization logic that fails to strip this header from untrusted inbound messages before routing them to downstream subscribers. This allows authenticated clients to inject or manipulate the header, circumventing the server's intended identity guarantee mechanism.

RemediationAI

Immediately upgrade NATS-server to v2.12.6 or later (if running 2.12.x) or v2.11.15 or later (if running 2.11.x). See the official GitHub security advisory at https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h for patch details and release notes. No known workarounds exist for this vulnerability, as it requires a server-side fix to the header sanitization logic; however, organizations should prioritize patching while simultaneously auditing their downstream services to ensure they do not rely solely on the Nats-Request-Info header for critical authorization decisions—implement additional identity verification mechanisms such as mutual TLS (mTLS) between clients and NATS brokers, and restrict NATS access to trusted networks using firewall rules.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33223 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy