cbcvebase.
CVE-2026-33249
published 2026-03-25

CVE-2026-33249: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and…

PriorityP426medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.23%
13.5th percentile
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiannats-server< nats-server 2.12.6-1 (forky)nats-server 2.12.6-1 (forky)
github.comnats-io_nats-server_v2>= 2.11.0 < 2.11.152.11.15
github.comnats-io_nats-server_v2>= 2.12.0-preview.1 < 2.12.62.12.6
linuxfoundationnats-server>= 0 < 2.12.6-12.12.6-1
linuxfoundationnats-server>= 2.11.0 < 2.11.152.11.15
linuxfoundationnats-server>= 2.12.0 < 2.12.62.12.6
nats-ionats-server
nats-ionats-server

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
osv4.3MEDIUM
vendor_debian4.3LOW
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.