CVE-2026-33249
published 2026-03-25CVE-2026-33249: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and…
PriorityP426medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.23%
13.5th percentile
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nats-server | < nats-server 2.12.6-1 (forky) | nats-server 2.12.6-1 (forky) |
| github.com | nats-io_nats-server_v2 | >= 2.11.0 < 2.11.15 | 2.11.15 |
| github.com | nats-io_nats-server_v2 | >= 2.12.0-preview.1 < 2.12.6 | 2.12.6 |
| linuxfoundation | nats-server | >= 0 < 2.12.6-1 | 2.12.6-1 |
| linuxfoundation | nats-server | >= 2.11.0 < 2.11.15 | 2.11.15 |
| linuxfoundation | nats-server | >= 2.12.0 < 2.12.6 | 2.12.6 |
| nats-io | nats-server | — | — |
| nats-io | nats-server | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
osv4.3MEDIUM
vendor_debian4.3LOW
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
NATS: Message tracing can be redirected to arbitrary subject in github.com/nats-io/nats-server
osv·2026-03-26
CVE-2026-33249 NATS: Message tracing can be redirected to arbitrary subject in github.com/nats-io/nats-server
NATS: Message tracing can be redirected to arbitrary subject in github.com/nats-io/nats-server
NATS: Message tracing can be redirected to arbitrary subject in github.com/nats-io/nats-server
OSV
CVE-2026-33249: NATS-Server is a High-Performance server for NATS
osv·2026-03-25·CVSS 4.3
CVE-2026-33249 [MEDIUM] CVE-2026-33249: NATS-Server is a High-Performance server for NATS
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
GHSA
NATS: Message tracing can be redirected to arbitrary subject
ghsa·2026-03-24
CVE-2026-33249 [MEDIUM] CWE-863 NATS: Message tracing can be redirected to arbitrary subject
NATS: Message tracing can be redirected to arbitrary subject
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server supports telemetry on messages, using the per-message NATS headers.
### Problem Description
A valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission.
The payload is a valid trace message and not chosen by the attacker.
### Affected Versions
Any version before v2.12.6 or v2.11.15
### Workarounds
None.
OSV
NATS: Message tracing can be redirected to arbitrary subject
osv·2026-03-24
CVE-2026-33249 [MEDIUM] NATS: Message tracing can be redirected to arbitrary subject
NATS: Message tracing can be redirected to arbitrary subject
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server supports telemetry on messages, using the per-message NATS headers.
### Problem Description
A valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission.
The payload is a valid trace message and not chosen by the attacker.
### Affected Versions
Any version before v2.12.6 or v2.11.15
### Workarounds
None.
Red Hat
github.com/nats-io/nats-server: NATS-Server: Unauthorized trace message redirection via message tracing headers
vendor_redhat·2026-03-25·CVSS 4.3
CVE-2026-33249 [MEDIUM] CWE-1220 github.com/nats-io/nats-server: NATS-Server: Unauthorized trace message redirection via message tracing headers
github.com/nats-io/nats-server: NATS-Server: Unauthorized trace message redirection via message tracing headers
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
A flaw was found in NATS-Server. A valid client can exploit this flaw by manipulating message tracing headers to redirect trace messages to any valid subject, even those for
Debian
CVE-2026-33249: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
vendor_debian·2026·CVSS 4.3
CVE-2026-33249 [MEDIUM] CVE-2026-33249: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
Scope: local
bookworm: resolved
forky: resolved (fixed in 2.12.6-1)
sid: resolved (fixed in 2.12.6-1)
trixie: resolved
No detection rules found.
No public exploits indexed.
2026-03-25
Published