Cyber Resilience

CVE-2026-33246

Medium

Published: 25 March 2026

Published
25 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0014 3.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-33246 is a medium-severity Improper Authentication (CWE-287) vulnerability in Linuxfoundation Nats-Server. Its CVSS base score is 6.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that…

more

NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker. A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked. Prior to versions 2.11.15 and 2.12.6, NATS clients relying upon the Nats-Request-Info: header could be spoofed. This does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1684.001 Impersonation Stealth
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
Why these techniques?

CVE enables spoofing of account/user identity headers on a public-facing NATS server (CWE-290), directly facilitating application exploitation and impersonation of valid identities to downstream clients.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

linuxfoundation
nats-server
≤ 2.11.15 · 2.12.0 — 2.12.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-287 CWE-290

Detects unauthorized successful logons resulting from improper authentication implementations.

addresses: CWE-287 CWE-290

Security awareness training instructs users on secure authentication practices and avoiding credential compromise.

addresses: CWE-287 CWE-290

Identity proofing requires collecting, validating, and verifying evidence to resolve claims to unique individuals, directly preventing insufficient proof of identity during account establishment.

addresses: CWE-287 CWE-290

Enforces unique device identification and authentication before any connection is established, directly mitigating improper authentication weaknesses.

addresses: CWE-287 CWE-290

Mandates unique identification and authentication of non-organizational users, directly mitigating improper authentication.

addresses: CWE-287 CWE-290

Requires unique identification and authentication of services before any communications, directly mitigating improper authentication.

addresses: CWE-287 CWE-290

Requires authentication mechanisms on the wireless link, making improper authentication weaknesses harder to exploit.

addresses: CWE-287

Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.

References