Red Hat CVE-2026-33223
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a Nats-Request-Info: message header, providing information about a request.
Problem Description
The NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.
An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
AnalysisAI
NATS-server versions prior to v2.12.6 or v2.11.15 contain an authentication bypass vulnerability where the Nats-Request-Info message header, intended to guarantee request identity, is not fully stripped from inbound client messages. An attacker with valid credentials to any regular client interface can spoof their identity to downstream services that rely on this header for authorization decisions, potentially leading to unauthorized access or impersonation. While no confirmed active exploitation or public proof-of-concept is documented, the low attack complexity and low privilege requirements (any authenticated user) combined with the CVSS 6.4 score indicate moderate real-world risk, particularly in environments where message header-based identity verification is critical.
Technical ContextAI
NATS.io is a high-performance open-source publish-subscribe messaging system designed for cloud, on-premises, IoT, and edge computing architectures. The vulnerability affects the Go implementation (pkg:go/github.com_nats-io_nats-server_v2) and relates to the nats-server's handling of the Nats-Request-Info header, which is a metadata field transmitted with requests to communicate sender identity and context through the NATS broker. The root cause is classified under CWE-290 (Authentication Bypass by Spoofing), stemming from incomplete header sanitization logic that fails to strip this header from untrusted inbound messages before routing them to downstream subscribers. This allows authenticated clients to inject or manipulate the header, circumventing the server's intended identity guarantee mechanism.
RemediationAI
Immediately upgrade NATS-server to v2.12.6 or later (if running 2.12.x) or v2.11.15 or later (if running 2.11.x). See the official GitHub security advisory at https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h for patch details and release notes. No known workarounds exist for this vulnerability, as it requires a server-side fix to the header sanitization logic; however, organizations should prioritize patching while simultaneously auditing their downstream services to ensure they do not rely solely on the Nats-Request-Info header for critical authorization decisions—implement additional identity verification mechanisms such as mutual TLS (mTLS) between clients and NATS brokers, and restrict NATS access to trusted networks using firewall rules.
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today