CVE-2026-33223
published 2026-03-25CVE-2026-33223: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header…
PriorityP432medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.21%
11.3th percentile
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nats-server | < nats-server 2.12.6-1 (forky) | nats-server 2.12.6-1 (forky) |
| github.com | nats-io_nats-server_v2 | >= 0 < 2.11.15 | 2.11.15 |
| github.com | nats-io_nats-server_v2 | >= 2.12.0-RC.1 < 2.12.6 | 2.12.6 |
| linuxfoundation | nats-server | < 2.11.15 | 2.11.15 |
| linuxfoundation | nats-server | >= 0 < 2.12.6-1 | 2.12.6-1 |
| linuxfoundation | nats-server | >= 2.12.0 < 2.12.6 | 2.12.6 |
| nats-io | nats-server | < 2.11.15 | 2.11.15 |
| nats-io | nats-server | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
osv5.4MEDIUM
vendor_debian6.4MEDIUM
vendor_redhat6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing in github.com/nats-io/nats-server
osv·2026-03-26
CVE-2026-33223 NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing in github.com/nats-io/nats-server
NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing in github.com/nats-io/nats-server
NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing in github.com/nats-io/nats-server
OSV
CVE-2026-33223: NATS-Server is a High-Performance server for NATS
osv·2026-03-25·CVSS 5.4
CVE-2026-33223 [MEDIUM] CVE-2026-33223: NATS-Server is a High-Performance server for NATS
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
OSV
NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing
osv·2026-03-24
CVE-2026-33223 [MEDIUM] NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing
NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a `Nats-Request-Info:` message header, providing information about a request.
### Problem Description
The NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.
An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.
### Affected Versions
Any version before v2.12.6 or v2.11.15
### Workarounds
None.
GHSA
NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing
ghsa·2026-03-24
CVE-2026-33223 [MEDIUM] CWE-290 NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing
NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a `Nats-Request-Info:` message header, providing information about a request.
### Problem Description
The NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.
An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.
### Affected Versions
Any version before v2.12.6 or v2.11.15
### Workarounds
None.
Red Hat
nats-server: github.com/nats-io/nats-server: NATS-Server: Identity spoofing via `Nats-Request-Info:` header
vendor_redhat·2026-03-25·CVSS 6.4
CVE-2026-33223 [MEDIUM] CWE-807 nats-server: github.com/nats-io/nats-server: NATS-Server: Identity spoofing via `Nats-Request-Info:` header
nats-server: github.com/nats-io/nats-server: NATS-Server: Identity spoofing via `Nats-Request-Info:` header
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
A flaw was found in NATS-Server. An authenticated attacker could exploit a vulnerability where the `Nats-Request-Info:` message header was not effect
Debian
CVE-2026-33223: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
vendor_debian·2026·CVSS 6.4
CVE-2026-33223 [MEDIUM] CVE-2026-33223: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
Scope: local
bookworm: open
forky: resolved (fixed in 2.12.6-1)
sid: resolved (fixed in 2.12.6-1)
trixie: open
No detection rules found.
No public exploits indexed.
2026-03-25
Published