6.4

CVE-2026-33223

EPSS 0.01%
Veröffentlicht 25.03.2026 20:20:00
Zuletzt bearbeitet 26.03.2026 17:18:04
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linuxfoundation ≫ Nats-server Version < 2.11.15

Linuxfoundation ≫ Nats-server Version >= 2.12.0 < 2.12.6

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.011

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
security-advisories@github.com	6.4	3.1	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h

Vendor Advisory

https://advisories.nats.io/CVE/secnote-2026-09.txt

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-33223

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33223

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33223

EUVD