Skip to main content

Red Hat CVE-2026-33246

MEDIUM
Improper Authentication (CWE-287)
2026-03-24 https://github.com/nats-io/nats-server
6.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.4 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 24, 2026 - 22:01 vuln.today
CVE Published
Mar 24, 2026 - 21:50 nvd
MEDIUM 6.4

DescriptionGitHub Advisory

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers. NATS messages can have headers.

Problem Description

The nats-server offers a Nats-Request-Info: message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker.

A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked.

Thus NATS clients relying upon the Nats-Request-Info: header could be spoofed.

Does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

AnalysisAI

NATS-server versions prior to v2.12.6 or v2.11.15 are vulnerable to authentication bypass through spoofed Nats-Request-Info headers in leafnode connections. An attacker with low privileges and network access can craft malicious messages with forged identity claims that propagate through untrusted leafnode connections, allowing clients that rely on this header for trust decisions to be deceived about message origins. This affects downstream NATS clients making security decisions based on the header, potentially compromising confidentiality and integrity of message-based applications.

Technical ContextAI

NATS-server is a high-performance distributed pub-sub messaging system (pkg:go/github.com_nats-io_nats-server_v2) that uses leafnode topology for hub-and-spoke architectures connecting multiple NATS servers. The vulnerability exists in the Nats-Request-Info header mechanism, which is designed to propagate account and user identity information across server boundaries to allow clients to make trust decisions. The root cause is CWE-287 (Improper Authentication), specifically inadequate validation of identity claims originating from untrusted leafnode connections. Unlike fully trusted system account bridges, standard leafnode connections lack proper authentication checks before header propagation, creating an identity spoofing vector where attackers can inject forged headers that traverse the broker network unchecked.

RemediationAI

Immediately upgrade nats-server to version v2.12.6 or later for the v2.12 branch, or v2.11.15 or later for the v2.11 branch. These versions implement proper authentication validation for Nats-Request-Info headers originating from untrusted leafnode connections. No workarounds are available according to the advisory, making patching the only mitigation. Additionally, review client applications that depend on Nats-Request-Info headers to understand their trust models and consider implementing defense-in-depth authentication checks that do not rely solely on broker-provided identity headers. Network segmentation to restrict which servers can establish leafnode connections provides additional defense-in-depth but is not a substitute for upgrading. Refer to https://github.com/nats-io/nats-server for patch availability and https://github.com/advisories/GHSA-55h8-8g96-x4hj for additional security guidance.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33246 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy