Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.
Published: 2026-03-25
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises when nats-server is started with static credentials supplied as command‑line arguments. The monitoring port’s /debug/vars endpoint returns an unredacted copy of those arguments, allowing any user with network access to the monitoring port to view the credentials. Thus an attacker can obtain the usernames and passwords required to connect as a client to the NATS server, leading to unauthorized access and potential compromise of the messaging system.

Affected Systems

Vendor nats-io’s nats-server product is affected. Versions prior to 2.11.15 and 2.12.6 contain the flaw. The security patch was introduced in nats-server 2.11.15 and 2.12.6, so any deployment running an earlier release must be updated. The issue is tied to the monitoring port feature; systems that expose this port to untrusted networks are at higher risk.

Risk and Exploitability

CVSS score 7.4 indicates high severity. The EPSS score is <1 %, suggesting a low probability of exploitation that may be opportunistic. The vulnerability is not listed in the CISA KEV catalog. Externally, the flaw can be exploited by anybody who can reach the monitoring port, such as a remote attacker who has network connectivity to the NATS server. Internally, local users with access to the same machine may also harvest credentials. Once obtained, the attacker can impersonate legitimate clients and potentially intercept or inject messages.

Generated by OpenCVE AI on March 26, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nats-server to version 2.11.15 or later (for 2.11 series) or 2.12.6 or later (for 2.12 series) to apply the vendor patch.
  • If upgrading is not immediately possible, move all static credentials from command‑line arguments into a configuration file.
  • Disable the monitoring port, or configure it to be accessible only from trusted networks or via firewall.
  • Verify that no other services expose sensitive command‑line arguments and regularly review monitoring endpoint outputs.

Generated by OpenCVE AI on March 26, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x6g4-f6q3-fqvv NATS credentials are exposed in monitoring port via command-line argv
History

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation nats-server
CPEs cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation nats-server

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nats
Nats nats Server
Vendors & Products Nats
Nats nats Server

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-214
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.
Title NATS credentials are exposed in monitoring port via command-line argv
Weaknesses CWE-215
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Linuxfoundation Nats-server
Nats Nats Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:12.479Z

Reserved: 2026-03-18T02:42:27.509Z

Link: CVE-2026-33247

cve-icon Vulnrichment

Updated: 2026-03-26T19:51:12.713Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T20:16:33.223

Modified: 2026-03-26T17:17:07.590

Link: CVE-2026-33247

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-25T20:02:18Z

Links: CVE-2026-33247 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:10Z

Weaknesses