GHSA-PWX7-FX9R-HR4H
Vulnerability from github – Published: 2026-03-24 21:50 – Updated: 2026-03-24 21:50
VLAI?
Summary
NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing
Details
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a Nats-Request-Info: message header, providing information about a request.
Problem Description
The NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.
An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
Severity ?
6.4 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.12.0-RC.1"
},
{
"fixed": "2.12.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33223"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T21:50:05Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Background\n\nNATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.\n\nThe nats-server offers a `Nats-Request-Info:` message header, providing information about a request.\n\n### Problem Description\n\nThe NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.\n\nAn attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.\n\n### Affected Versions\n\nAny version before v2.12.6 or v2.11.15\n\n### Workarounds\n\nNone.",
"id": "GHSA-pwx7-fx9r-hr4h",
"modified": "2026-03-24T21:50:05Z",
"published": "2026-03-24T21:50:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h"
},
{
"type": "WEB",
"url": "https://advisories.nats.io/CVE/secnote-2026-09.txt"
},
{
"type": "PACKAGE",
"url": "https://github.com/nats-io/nats-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…