CVE-2026-33249 MEDIUM

CVE-2026-33249: NATS: Message tracing can be redirected to arbitrary subject

Vendor Nats-Io

Product nats-server

Weakness CWE-863 · Incorrect authorization

Published March 25, 2026

Last update March 26, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

Key dates

02Disclosure timeline

March 25, 2026 CVE published

March 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-33249

Related vulnerabilities

Identifiers

CVE CVE-2026-33249

CWE CWE-863

CVSS 4.3 / MEDIUM

Affected versions

Vendor Nats-Io

Product nats-server

Affected >= 2.11.0, < 2.11.15

Vendor Nats-Io

Product nats-server

Affected >= 2.12.0-preview.1, < 2.12.6

CVE-2026-33249: NATS: Message tracing can be redirected to arbitrary subject

01Description

02Disclosure timeline

03References

04Related CVE