Sign In

CVE-2026-33223

ADVISORY - github

Summary

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server offers a Nats-Request-Info: message header, providing information about a request.

Problem Description

The NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.

An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-290

Authentication Bypass by Spoofing

ADVISORY - github

CWE-290

Authentication Bypass by Spoofing

ADVISORY - redhat

CWE-807

Reliance on Untrusted Inputs in a Security Decision

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in