CVE-2026-33247 — Insertion of Sensitive Information Into Debugging Code in Nats-server
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 90.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 25
Latest updateMar 26
Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a conf…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6
Affected Packages5 packages
🔴Vulnerability Details
4OSV▶
NATS credentials are exposed in monitoring port via command-line argv in github.com/nats-io/nats-server↗2026-03-26