CVE-2026-33247
MEDIUMSeverity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionNVD
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an optional monitoring port, which provides access to sensitive data. The nats-server can take certain configuration options on the command-line instead of requiring a configuration file.
Problem Description
If a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled.
The /debug/vars end-point contains an unredacted copy of argv.
Patches
Fixed in nats-server 2.12.6 & 2.11.15
Workarounds
The NATS Maintainers are bemused at the concept of someone deploying a real configuration using --pass to avoid a config file, but also enabling monitoring.
Configure credentials inside a configuration file instead of via argv.
Do not enable the monitoring port if using secrets in argv.
Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.
AnalysisAI
A credential exposure vulnerability exists in NATS.io nats-server where static authentication credentials passed via command-line arguments are disclosed through the monitoring port's /debug/vars endpoint without redaction. NATS.io nats-server versions prior to 2.12.6 and 2.11.15 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | nats-server must be configured with static credentials passed via command-line arguments AND the monitoring port must be accessible to the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS score of 7.4 (High) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N indicates network-accessible exploitation with high attack complexity requiring no privileges or user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scanning for exposed NATS monitoring ports on default or common ports discovers an instance configured with command-line credentials. By sending an HTTP GET request to the /debug/vars endpoint without authentication, the attacker retrieves the unredacted argv array containing plaintext credentials passed via flags like --user and --pass. … |
| Remediation | Upgrade nats-server to version 2.12.6 or later for the 2.12.x branch, or version 2.11.15 or later for the 2.11.x branch as documented in the GitHub security advisory at https://github.com/nats-io/nats-server/security/advisories/GHSA-x6g4-f6q3-fqvv. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all NATS.io deployments running versions prior to 2.12.6 or 2.11.15 and audit which systems use command-line credentials with monitoring enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today