CVE-2026-33246 — Improper Authentication in Nats-server
Severity
5.4MEDIUMNVD
EPSS
0.0%
top 92.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 25
Latest updateMar 26
Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker. A leafnode connecting to a nats-server is not fully trusted unless the system a…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5
Affected Packages5 packages
🔴Vulnerability Details
4OSV▶
NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers in github.com/nats-io/nats-server↗2026-03-26