CVE-2026-33223

Published: Mar 25, 2026 Last Modified: Mar 25, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,4

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: changed

Confidentiality: low

Integrity: low

Availability: none

Description

AI Translation Available

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

290

Authentication Bypass by Spoofing

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control

Potential Impacts:

Bypass Protection Mechanism Gain Privileges Or Assume Identity

Applicable Platforms

All platforms may be affected

View CWE Details

https://advisories.nats.io/CVE/secnote-2026-09.txt

https://github.com/nats-io/nats-server/security/advisories/…

https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h

CVE-2026-33223

Description

Authentication Bypass by Spoofing

Common Consequences

Applicable Platforms

Iscriviti alla newsletter