{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33249", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T02:42:27.509Z", "datePublished": "2026-03-25T20:21:30.156Z", "dateUpdated": "2026-03-25T20:21:30.156Z"}, "containers": {"cna": {"title": "NATS: Message tracing can be redirected to arbitrary subject", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-15.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-15.txt"}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"version": ">= 2.11.0, < 2.11.15", "status": "affected"}, {"version": ">= 2.12.0-preview.1, < 2.12.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T20:21:30.156Z"}, "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available."}], "source": {"advisory": "GHSA-8m2x-3m6q-6w8j", "discovery": "UNKNOWN"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "04A14239-FB32-4FD3-8B45-BDE015A7F721", "versionEndExcluding": "2.11.15", "versionStartIncluding": "2.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154", "versionEndExcluding": "2.12.6", "versionStartIncluding": "2.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available."}], "id": "CVE-2026-33249", "lastModified": "2026-03-26T16:20:55.100", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T21:16:47.737", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://advisories.nats.io/CVE/secnote-2026-15.txt"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/nats-io/nats-server: NATS-Server: Unauthorized trace message redirection via message tracing headers", "id": "2451485", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451485"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-1220", "details": ["A flaw was found in NATS-Server. A valid client can exploit this flaw by manipulating message tracing headers to redirect trace messages to any valid subject, even those for which the client lacks publish permissions. This allows for unauthorized sending of trace messages, potentially bypassing intended access controls and leading to information misdirection within the NATS.io messaging system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33249", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Fix deferred", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/oc-mirror-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-25T20:21:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33249\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33249\nhttps://advisories.nats.io/CVE/secnote-2026-15.txt\nhttps://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.11.0,2.11.15)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.12.0-preview.1,2.12.6)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "nats-server", "source": "cna", "vendor": "nats-io"}, "product": "nats_server", "vendor": "nats"}], "analysis": {"en": {"generated_at": "2026-03-26T04:44:55.551846+00:00", "value": {"mitigation_remediation": ["Update nats-server to version 2.11.15 or later, or to 2.12.6 or later where the fix is applied."], "summary": {"action": "Apply Patch", "impact": "Unauthorized publishing of trace messages to restricted subjects"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in nats-io\u2019s nats-server and affects all builds starting with version 2.11.0 up to, but not including, 2.11.15, and from 2.12.0 up to, but not including, 2.12.6. Versions 2.11.15, 2.12.6, and later contain the fix.", "description_and_impact": "A client that uses NATS message tracing headers can cause the server to send trace messages to any valid subject, even when the client does not hold permission to publish to that subject. The trace message payload is a system\u2011generated trace message and not chosen by the attacker. This allows the attacker to publish to subjects they should not be able to reach, violating the intended isolation between subjects.", "risk_and_exploitability": "The CVSS score is 4.3, indicating low to moderate risk. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation. An attacker must be able to connect to the NATS server and send messages with tracing headers; no local privilege escalation or container escape is required. The exploitation path is remote and does not rely on any additional pre\u2011conditions beyond standard client connectivity."}}}}, "created": "2026-03-26T11:31:42.685608+00:00", "updated": "2026-03-26T12:09:35.815822+00:00", "vendors": ["nats", "nats$PRODUCT$nats_server"]}