Information Spoofing in NATS-Server Messaging System by NATS.io
CVE-2026-33246

6.4MEDIUM

Key Information:

Vendor: Nats-io
Status: Nats-server
Vendor: CVE Published:; 25 March 2026

What is CVE-2026-33246?

NATS-Server, developed by NATS.io, is a high-performance messaging server that facilitates cloud and edge-native communication. A vulnerability exists in versions prior to 2.11.15 and 2.12.6, where the Nats-Request-Info: header can be manipulated by malicious actors. This exploitation allows a compromised client to spoof the information shared with legitimate NATS clients, undermining user identification and trust in message integrity. This issue arises because the leafnode connecting to the nats-server cannot guarantee full trust unless appropriate account bridging is in place. To mitigate this risk, users should upgrade to the patched versions of the NATS-Server.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

nats-server < 2.11.15 < 2.11.15

nats-server >= 2.12.0-RC.1, < 2.12.6 < 2.12.0-RC.1, 2.12.6

References

https://github.com/nats-io/nats-server/security/advisorie...

x_refsource_CONFIRM

https://advisories.nats.io/CVE/secnote-2026-08.txt

x_refsource_MISC

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2026
Vulnerability Reserved
Mar 18, 2026

JSON

Nats-io