CVE-2026-33246

NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers

Description

A vulnerability labeled as critical has been found in nats-io nats-server up to 2.11.14/2.12.5. This affects an unknown part of the component Nats-Request-Info Identity Header Handler. The manipulation results in authentication bypass by spoofing. This vulnerability is reported as CVE-2026-33246. The attack can be launched remotely.

Affected Products

Vendor	Product	Versions
go	github.com/nats-io/nats-server/v2	go/github.com/nats-io/nats-server/v2: < 2.11.15, go/github.com/nats-io/nats-server/v2: >= 2.12.0-RC.1, < 2.12.6, up to 2.11.14, up to 2.12.5

References

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-33246 | nats-io nats-server up to 2.11.14/2.12.5 Nats-Request-Info Identity Header authentication spoofing

→ No new info (linked only)

CVSS 3.16.4 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-287, CWE-290

Published3/24/2026

Last enriched3h agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Version History

Last enriched 3h ago

v2Tier C3h ago

Updated severity to CRITICAL, added affected versions up to 2.11.14 and 2.12.5, and noted that no exploit exists.

descriptionaffectedVersionsseverityactivelyExploited

via VulDB

v111h ago

Initial creation