Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
Published: 2026-03-25
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized publication of trace messages to disallowed subjects
Action: Immediate Patch
AI Analysis

Impact

When a client uses message tracing headers, the server treats the trace messages as normal messages and publishes them to the subject specified in the header, even if the client lacks permission to publish there. The attacker cannot choose the payload, but can force the server to expose trace data on otherwise protected subjects, potentially leaking sensitive information or violating access controls.

Affected Systems

NATS‑Io Server is affected. Versions 2.11.0 through 2.11.14 and 2.12.0 through 2.12.5 allow the issue; releases 2.11.15 and 2.12.6 and later include a fix.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity while the EPSS score below 1 % suggests low exploit probability. The vulnerability is not listed in the KEV catalog. An attacker must have a legitimate NATS client connection with tracing enabled; after that, the server can be coerced into publishing trace messages to arbitrary subjects. No privileged escalation beyond the client’s own permissions is required.

Generated by OpenCVE AI on March 26, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NATS‑Io Server to version 2.11.15, 2.12.6, or later.
  • If an upgrade is pending, disable message tracing headers on clients or configure the server to reject trace messages with arbitrary subject redirection.

Generated by OpenCVE AI on March 26, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8m2x-3m6q-6w8j NATS: Message tracing can be redirected to arbitrary subject
History

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation nats-server
CPEs cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation nats-server

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nats
Nats nats Server
Vendors & Products Nats
Nats nats Server

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1220
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
Title NATS: Message tracing can be redirected to arbitrary subject
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Linuxfoundation Nats-server
Nats Nats Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:12.206Z

Reserved: 2026-03-18T02:42:27.509Z

Link: CVE-2026-33249

cve-icon Vulnrichment

Updated: 2026-03-26T19:51:06.457Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T21:16:47.737

Modified: 2026-03-26T16:20:55.100

Link: CVE-2026-33249

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T20:21:30Z

Links: CVE-2026-33249 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:43Z

Weaknesses