CVE-2026-33223

NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing

Assigner: GitHub_M
Reserved: 17.03.2026 Published: 25.03.2026 Updated: 25.03.2026

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVSS Score: 6.4

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	nats-io
Product	nats-server
Versions	Version < 2.11.15 is affected Version >= 2.12.0-RC.1, < 2.12.6 is affected

Vendor

nats-io

Product

nats-server

Versions

Version < 2.11.15 is affected
Version >= 2.12.0-RC.1, < 2.12.6 is affected

References

Problem Types

CWE-290: Authentication Bypass by Spoofing CWE

CVE-2026-33223 PUBLISHED

NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing

Metrics

Product Status

References

Problem Types