Skip to main content

CVE-2026-33247

MEDIUM
Insertion of Sensitive Information Into Debugging Code (CWE-215)
2026-03-24 https://github.com/nats-io/nats-server
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
SUSE
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Severity Changed
Jun 30, 2026 - 03:24 NVD
HIGH MEDIUM
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.4 (HIGH) 5.3 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 24, 2026 - 20:45 vuln.today
CVE Published
Mar 24, 2026 - 20:44 nvd
HIGH 7.4

DescriptionNVD

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an optional monitoring port, which provides access to sensitive data. The nats-server can take certain configuration options on the command-line instead of requiring a configuration file.

Problem Description

If a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled.

The /debug/vars end-point contains an unredacted copy of argv.

Patches

Fixed in nats-server 2.12.6 & 2.11.15

Workarounds

The NATS Maintainers are bemused at the concept of someone deploying a real configuration using --pass to avoid a config file, but also enabling monitoring.

Configure credentials inside a configuration file instead of via argv.

Do not enable the monitoring port if using secrets in argv.

Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.

AnalysisAI

A credential exposure vulnerability exists in NATS.io nats-server where static authentication credentials passed via command-line arguments are disclosed through the monitoring port's /debug/vars endpoint without redaction. NATS.io nats-server versions prior to 2.12.6 and 2.11.15 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access NATS monitoring port
Delivery
Retrieve command-line arguments from process info
Exploit
Extract hardcoded static credentials
Execution
Authenticate as privileged client
Impact
Publish/subscribe to sensitive messages

Vulnerability AssessmentAI

Exploitation nats-server must be configured with static credentials passed via command-line arguments AND the monitoring port must be accessible to the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS score of 7.4 (High) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N indicates network-accessible exploitation with high attack complexity requiring no privileges or user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scanning for exposed NATS monitoring ports on default or common ports discovers an instance configured with command-line credentials. By sending an HTTP GET request to the /debug/vars endpoint without authentication, the attacker retrieves the unredacted argv array containing plaintext credentials passed via flags like --user and --pass. …
Remediation Upgrade nats-server to version 2.12.6 or later for the 2.12.x branch, or version 2.11.15 or later for the 2.11.x branch as documented in the GitHub security advisory at https://github.com/nats-io/nats-server/security/advisories/GHSA-x6g4-f6q3-fqvv. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all NATS.io deployments running versions prior to 2.12.6 or 2.11.15 and audit which systems use command-line credentials with monitoring enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33247 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy