CVE-2026-33223

Medium CVSS: 6.4

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

Vendor

Linuxfoundation

Product

Nats-server

CWE

CWE-290

Yayın Tarihi

2026-03-25 21:16:47

Güncelleme

2026-03-26 17:18:04

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-290 Nats-server MEDIUM Linuxfoundation 2026

Referanslar

https://advisories.nats.io/CVE/secnote-2026-09.txt https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h

Benzer Kayıtlar

Critical

CVE-2026-33701

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. I…

Medium

CVE-2026-33015

EVerest is an EV charging software stack. Prior to version 2026.02.0, even immediately after CSMS performs a RemoteStop…

High

CVE-2026-33009

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to C++ UB (potential memo…

Medium

CVE-2026-33014

EVerest is an EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing, a delayed authorizat…

Medium

CVE-2026-27815

EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118_chargerImpl::handle_session_setup cop…

Medium

CVE-2026-27816

EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118_chargerImpl::handle_update_energy_tra…