Red Hat CVE-2026-33249
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
A valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not attacker chosen.
Patches
Fixed in nats-server 2.12.6 & 2.11.15
Workarounds
None safe to use.
AnalysisAI
A valid NATS client using message tracing headers can be exploited to send trace messages to arbitrary subjects, bypassing publish permission controls. This affects NATS Server versions prior to 2.12.6 and 2.11.15, allowing authenticated clients to violate authorization policies. While the injected payload is limited to valid trace messages rather than arbitrary content, the capability to publish to unauthorized subjects represents an integrity violation and potential information disclosure risk.
Technical ContextAI
NATS Server (pkg:go/github.com_nats-io_nats-server_v2) is a high-performance distributed messaging system written in Go. The vulnerability stems from improper authorization enforcement in the message tracing functionality, specifically in how trace headers are processed. The root cause is classified as CWE-863 (Incorrect Authorization), indicating that the system fails to properly validate whether an authenticated user has permission to publish to the target subject when message tracing headers indicate an alternate destination. The tracing feature, intended for diagnostic purposes, is leveraged to circumvent the publish ACL enforcement mechanism that would normally prevent a client from sending messages to restricted subjects.
RemediationAI
Immediately upgrade NATS Server to version 2.12.6 or 2.11.15 or later, as patches are available from the official repository at https://github.com/nats-io/nats-server. No safe workarounds exist according to vendor guidance, making patching the only viable mitigation. In environments where immediate patching is not possible, implement network-level access controls to restrict which clients can connect to the NATS broker and consider disabling message tracing functionality if it is not actively required for operations. Additionally, review and enforce principle-of-least-privilege authorization policies to minimize the damage if an authenticated client with limited permissions attempts exploitation.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today