CVE-2026-33247
published 2026-03-25CVE-2026-33247: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run…
PriorityP335medium5.3CVSS 3.1
AVNACHPRLUINSUCHINAN
EPSS
0.41%
33.1th percentile
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nats-server | < nats-server 2.12.6-1 (forky) | nats-server 2.12.6-1 (forky) |
| github.com | nats-io_nats-server_v2 | >= 0 < 2.11.15 | 2.11.15 |
| github.com | nats-io_nats-server_v2 | >= 2.12.0-RC.1 < 2.12.6 | 2.12.6 |
| linuxfoundation | nats-server | < 2.11.15 | 2.11.15 |
| linuxfoundation | nats-server | >= 0 < 2.12.6-1 | 2.12.6-1 |
| linuxfoundation | nats-server | >= 2.12.0 < 2.12.6 | 2.12.6 |
| nats-io | nats-server | < 2.11.15 | 2.11.15 |
| nats-io | nats-server | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
osv5.3MEDIUM
vendor_debian7.4HIGH
vendor_redhat7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
NATS credentials are exposed in monitoring port via command-line argv in github.com/nats-io/nats-server
osv·2026-03-26
CVE-2026-33247 NATS credentials are exposed in monitoring port via command-line argv in github.com/nats-io/nats-server
NATS credentials are exposed in monitoring port via command-line argv in github.com/nats-io/nats-server
NATS credentials are exposed in monitoring port via command-line argv in github.com/nats-io/nats-server
OSV
CVE-2026-33247: NATS-Server is a High-Performance server for NATS
osv·2026-03-25·CVSS 5.3
CVE-2026-33247 [MEDIUM] CVE-2026-33247: NATS-Server is a High-Performance server for NATS
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.
GHSA
NATS credentials are exposed in monitoring port via command-line argv
ghsa·2026-03-24
CVE-2026-33247 [HIGH] CWE-215 NATS credentials are exposed in monitoring port via command-line argv
NATS credentials are exposed in monitoring port via command-line argv
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an optional monitoring port, which provides access to sensitive data. The nats-server can take certain configuration options on the command-line instead of requiring a configuration file.
### Problem Description
If a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled.
The `/debug/vars` end-point contains an unredacted copy of argv.
### Patches
Fixed in nats-server 2.12.6 & 2.11.15
#
OSV
NATS credentials are exposed in monitoring port via command-line argv
osv·2026-03-24
CVE-2026-33247 [HIGH] NATS credentials are exposed in monitoring port via command-line argv
NATS credentials are exposed in monitoring port via command-line argv
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an optional monitoring port, which provides access to sensitive data. The nats-server can take certain configuration options on the command-line instead of requiring a configuration file.
### Problem Description
If a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled.
The `/debug/vars` end-point contains an unredacted copy of argv.
### Patches
Fixed in nats-server 2.12.6 & 2.11.15
#
Red Hat
github.com/nats-io/nats-server: NATS-Server: Information disclosure of credentials via monitoring port and command-line arguments
vendor_redhat·2026-03-25·CVSS 7.4
CVE-2026-33247 [HIGH] CWE-214 github.com/nats-io/nats-server: NATS-Server: Information disclosure of credentials via monitoring port and command-line arguments
github.com/nats-io/nats-server: NATS-Server: Information disclosure of credentials via monitoring port and command-line arguments
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Intern
Debian
CVE-2026-33247: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
vendor_debian·2026·CVSS 7.4
CVE-2026-33247 [HIGH] CVE-2026-33247: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.
Scope: local
bookworm: open
forky: resolved (fixed in 2.12.6-1)
sid: resolved (fixed in 2.12.6
No detection rules found.
No public exploits indexed.
https://advisories.nats.io/CVE/secnote-2026-14.txthttps://github.com/nats-io/nats-server/security/advisories/GHSA-x6g4-f6q3-fqvvhttps://access.redhat.com/errata/RHSA-2026:21769https://access.redhat.com/errata/RHSA-2026:22347https://access.redhat.com/errata/RHSA-2026:23345https://access.redhat.com/security/cve/CVE-2026-33247https://bugzilla.redhat.com/show_bug.cgi?id=2451486https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33247.json
2026-03-25
Published