CVE-2026-33246
Published: 25 March 2026
Summary
CVE-2026-33246 is a medium-severity Improper Authentication (CWE-287) vulnerability in Linuxfoundation Nats-Server. Its CVSS base score is 6.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15973
Vulnerability details
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that…
more
NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker. A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked. Prior to versions 2.11.15 and 2.12.6, NATS clients relying upon the Nats-Request-Info: header could be spoofed. This does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables spoofing of account/user identity headers on a public-facing NATS server (CWE-290), directly facilitating application exploitation and impersonation of valid identities to downstream clients.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detects unauthorized successful logons resulting from improper authentication implementations.
Security awareness training instructs users on secure authentication practices and avoiding credential compromise.
Identity proofing requires collecting, validating, and verifying evidence to resolve claims to unique individuals, directly preventing insufficient proof of identity during account establishment.
Enforces unique device identification and authentication before any connection is established, directly mitigating improper authentication weaknesses.
Mandates unique identification and authentication of non-organizational users, directly mitigating improper authentication.
Requires unique identification and authentication of services before any communications, directly mitigating improper authentication.
Requires authentication mechanisms on the wireless link, making improper authentication weaknesses harder to exploit.
Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.