CVE-2026-33247
Published: 25 March 2026
Summary
CVE-2026-33247 is a high-severity Insertion of Sensitive Information Into Debugging Code (CWE-215) vulnerability in Linuxfoundation Nats-Server. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly manages and protects authenticators like static credentials from unauthorized disclosure by prohibiting their cleartext storage in command-line arguments visible via monitoring endpoints.
Establishes and enforces secure configuration settings to avoid passing sensitive credentials via argv and to disable or restrict monitoring ports.
Enforces least functionality by prohibiting unnecessary features like the monitoring port, preventing exposure of unredacted credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly exposes static credentials in cleartext via the unauthenticated /debug/vars endpoint on the monitoring port (CWE-215), enabling T1552 Unsecured Credentials retrieval; exploitation requires access to the explicitly enabled public-facing monitoring interface, aligning with T1190 Exploit Public-Facing Application.
NVD Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are…
more
visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.
Deeper analysisAI
CVE-2026-33247 is a vulnerability in NATS-Server, the high-performance server for the NATS.io cloud and edge native messaging system. In versions prior to 2.11.15 and 2.12.6, the issue occurs when static credentials for all clients are provided via command-line arguments (argv). If the monitoring port is enabled, these credentials appear unredacted in the /debug/vars endpoint, exposing sensitive information to anyone able to access that endpoint. The flaw is classified under CWE-215 (Cleartext Storage of Sensitive Information).
An attacker requires network access to the monitoring port, which must be explicitly enabled, making exploitation dependent on misconfiguration. No privileges or user interaction are needed, but the attack involves high complexity due to the need for port exposure. Successful exploitation reveals the static credentials, granting high confidentiality impact by leaking them and high integrity impact by potentially allowing impersonation of clients in the messaging system. The CVSS v3.1 base score is 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
Versions 2.11.15 and 2.12.6 of NATS-Server contain fixes for this vulnerability. As a workaround, configure credentials in a file instead of argv and disable the monitoring port if secrets are used in argv. Advisories emphasize not exposing the monitoring port to the Internet or untrusted networks as a best practice. Further details are in the NATS security note at https://advisories.nats.io/CVE/secnote-2026-14.txt and GitHub advisory GHSA-x6g4-f6q3-fqvv at https://github.com/nats-io/nats-server/security/advisories/GHSA-x6g4-f6q3-fqvv.
Details
- CWE(s)