Skip to main content

Red Hat CVE-2026-33249

MEDIUM
Incorrect Authorization (CWE-863)
2026-03-24 https://github.com/nats-io/nats-server
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.4 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 24, 2026 - 20:45 vuln.today
CVE Published
Mar 24, 2026 - 20:37 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Impact

A valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not attacker chosen.

Patches

Fixed in nats-server 2.12.6 & 2.11.15

Workarounds

None safe to use.

AnalysisAI

A valid NATS client using message tracing headers can be exploited to send trace messages to arbitrary subjects, bypassing publish permission controls. This affects NATS Server versions prior to 2.12.6 and 2.11.15, allowing authenticated clients to violate authorization policies. While the injected payload is limited to valid trace messages rather than arbitrary content, the capability to publish to unauthorized subjects represents an integrity violation and potential information disclosure risk.

Technical ContextAI

NATS Server (pkg:go/github.com_nats-io_nats-server_v2) is a high-performance distributed messaging system written in Go. The vulnerability stems from improper authorization enforcement in the message tracing functionality, specifically in how trace headers are processed. The root cause is classified as CWE-863 (Incorrect Authorization), indicating that the system fails to properly validate whether an authenticated user has permission to publish to the target subject when message tracing headers indicate an alternate destination. The tracing feature, intended for diagnostic purposes, is leveraged to circumvent the publish ACL enforcement mechanism that would normally prevent a client from sending messages to restricted subjects.

RemediationAI

Immediately upgrade NATS Server to version 2.12.6 or 2.11.15 or later, as patches are available from the official repository at https://github.com/nats-io/nats-server. No safe workarounds exist according to vendor guidance, making patching the only viable mitigation. In environments where immediate patching is not possible, implement network-level access controls to restrict which clients can connect to the NATS broker and consider disabling message tracing functionality if it is not actively required for operations. Additionally, review and enforce principle-of-least-privilege authorization policies to minimize the damage if an authenticated client with limited permissions attempts exploitation.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33249 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy