Vulnerability Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Nats-Server | >= 2.11.0, < 2.11.15 |
Related Weaknesses (CWE)
References
- https://advisories.nats.io/CVE/secnote-2026-15.txtVendor Advisory
- https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8jVendor Advisory
FAQ
What is CVE-2026-33249?
CVE-2026-33249 is a vulnerability with a CVSS score of 4.3 (MEDIUM). NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message t...
How severe is CVE-2026-33249?
CVE-2026-33249 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33249?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Nats-Server.