CVE-2026-33249

NATS: Message tracing can be redirected to arbitrary subject

Assigner: GitHub_M
Reserved: 18.03.2026 Published: 25.03.2026 Updated: 25.03.2026

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	nats-io
Product	nats-server
Versions	Version >= 2.11.0, < 2.11.15 is affected Version >= 2.12.0-preview.1, < 2.12.6 is affected

Vendor

nats-io

Product

nats-server

Versions

Version >= 2.11.0, < 2.11.15 is affected
Version >= 2.12.0-preview.1, < 2.12.6 is affected

References

Problem Types

CWE-863: Incorrect Authorization CWE

CVE-2026-33249 PUBLISHED

NATS: Message tracing can be redirected to arbitrary subject

Metrics

Product Status

References

Problem Types