Red Hat CVE-2026-33246
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers. NATS messages can have headers.
Problem Description
The nats-server offers a Nats-Request-Info: message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker.
A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked.
Thus NATS clients relying upon the Nats-Request-Info: header could be spoofed.
Does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
AnalysisAI
NATS-server versions prior to v2.12.6 or v2.11.15 are vulnerable to authentication bypass through spoofed Nats-Request-Info headers in leafnode connections. An attacker with low privileges and network access can craft malicious messages with forged identity claims that propagate through untrusted leafnode connections, allowing clients that rely on this header for trust decisions to be deceived about message origins. This affects downstream NATS clients making security decisions based on the header, potentially compromising confidentiality and integrity of message-based applications.
Technical ContextAI
NATS-server is a high-performance distributed pub-sub messaging system (pkg:go/github.com_nats-io_nats-server_v2) that uses leafnode topology for hub-and-spoke architectures connecting multiple NATS servers. The vulnerability exists in the Nats-Request-Info header mechanism, which is designed to propagate account and user identity information across server boundaries to allow clients to make trust decisions. The root cause is CWE-287 (Improper Authentication), specifically inadequate validation of identity claims originating from untrusted leafnode connections. Unlike fully trusted system account bridges, standard leafnode connections lack proper authentication checks before header propagation, creating an identity spoofing vector where attackers can inject forged headers that traverse the broker network unchecked.
RemediationAI
Immediately upgrade nats-server to version v2.12.6 or later for the v2.12 branch, or v2.11.15 or later for the v2.11 branch. These versions implement proper authentication validation for Nats-Request-Info headers originating from untrusted leafnode connections. No workarounds are available according to the advisory, making patching the only mitigation. Additionally, review client applications that depend on Nats-Request-Info headers to understand their trust models and consider implementing defense-in-depth authentication checks that do not rely solely on broker-provided identity headers. Network segmentation to restrict which servers can establish leafnode connections provides additional defense-in-depth but is not a substitute for upgrading. Refer to https://github.com/nats-io/nats-server for patch availability and https://github.com/advisories/GHSA-55h8-8g96-x4hj for additional security guidance.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today