CVE-2026-33247

HIGH
2026-03-24 https://github.com/nats-io/nats-server
7.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 24, 2026 - 20:45 vuln.today
CVE Published
Mar 24, 2026 - 20:44 nvd
HIGH 7.4

Tags

Information Disclosure

Description

### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server provides an optional monitoring port, which provides access to sensitive data. The nats-server can take certain configuration options on the command-line instead of requiring a configuration file. ### Problem Description If a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. ### Patches Fixed in nats-server 2.12.6 & 2.11.15 ### Workarounds The NATS Maintainers are bemused at the concept of someone deploying a real configuration using `--pass` to avoid a config file, but also enabling monitoring. Configure credentials inside a configuration file instead of via argv. Do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.

Analysis

A credential exposure vulnerability exists in NATS.io nats-server where static authentication credentials passed via command-line arguments are disclosed through the monitoring port's /debug/vars endpoint without redaction. NATS.io nats-server versions prior to 2.12.6 and 2.11.15 are affected. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all NATS.io deployments running versions prior to 2.12.6 or 2.11.15 and audit which systems use command-line credentials with monitoring enabled. Within 7 days: Implement network-level controls to restrict monitoring port access or disable monitoring endpoints if not operationally required. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +37
POC: 0

Share

CVE-2026-33247 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy