Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
Published: 2026-03-25
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Identity Spoofing
Action: Patch Now
AI Analysis

Impact

NATS‑Server is a high‑performance messaging server that relies on a request header, Nats‑Request‑Info, to identify the source of a message. In versions prior to 2.11.15 and 2.12.6, the server does not fully strip this header from inbound traffic, which means that a client can embed the header and have it accepted as its own identity. The result is that a legitimate client can impersonate any other service that relies on this header for authentication, creating a path for deception and unauthorized access. The weakness falls under incorrect authorization (CWE‑290) and improper handling of sensitive information (CWE‑807).

Affected Systems

NATS Server from nats‑io is affected in versions older than 2.11.15 and 2.12.6. These releases are the ones that fail to remove the Nats‑Request‑Info header entirely, allowing identity spoofing. Documentation and advisories explicitly list these two versions as vulnerable.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of less than 1% suggests that exploitation is currently rare in the wild and the vulnerability is not yet leveraged in known attacks. The vulnerability does not appear in CISA’s KEV catalog. An attacker must have valid credentials to any regular client interface to send messages, but once credentials exist, the attack vector is network‑bound; any client can supply a forged header to override the server’s perceived identity. The potential impact is limited to services that depend on the header for authentication or authorization decisions, but could allow privilege escalation or denial of service within a trusted environment.

Generated by OpenCVE AI on March 26, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the NATS Server to version 2.11.15 or 2.12.6 or later, which contain the header‑stripping fix.
  • Deploy the patched version across all instances in the cluster to eliminate the privilege‑escapable path.
  • Verify that clients no longer receive or send the Nats‑Request‑Info header and adjust any downstream logic that trusts this header.
  • Monitor logs for anomalous header usage or repeated spoof attempts after upgrade.
  • If an upgrade is temporarily infeasible, consider disabling the trust of Nats‑Request‑Info headers or restricting the credential base to the most trusted clients only.

Generated by OpenCVE AI on March 26, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pwx7-fx9r-hr4h NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing
History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation nats-server
CPEs cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation nats-server

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nats
Nats nats Server
Vendors & Products Nats
Nats nats Server

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-807
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
Title NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing
Weaknesses CWE-290
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Linuxfoundation Nats-server
Nats Nats Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T17:51:23.590Z

Reserved: 2026-03-17T23:23:58.315Z

Link: CVE-2026-33223

cve-icon Vulnrichment

Updated: 2026-03-26T17:51:19.770Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T21:16:47.397

Modified: 2026-03-26T17:18:04.750

Link: CVE-2026-33223

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T20:20:00Z

Links: CVE-2026-33223 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:45Z

Weaknesses