SB20260422222 - Multiple vulnerabilities in nats-server
Published: April 22, 2026 Updated: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 vulnerabilities.
1) Incorrect authorization (CVE-ID: CVE-2026-33249)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to incorrect authorization. A remote user can redirect message tracing to arbitrary subject.
2) Unprotected storage of credentials (CVE-ID: CVE-2026-33216)
CWE-ID: CWE-256 - Unprotected Storage of Credentials
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to other users' credentials.
The vulnerability exists due to application stored credentials in plain text within MQTT. A remote attacker can gain access to sensitive information on the system.
3) Incorrect authorization (CVE-ID: CVE-2026-33217)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to insufficient authorization controls. A remote user can bypass ACL checks for MQTT subjects
4) Improper Authentication (CVE-ID: CVE-2026-33246)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to improper authentication within leafnode connections. A remote user can spoof the Nats-Request-Info identity headers.
5) Input validation error (CVE-ID: CVE-2026-33218)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the leafnode port. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
6) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33219)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to allocation of resources without limits or throttling within WebSockets client service. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
7) Authentication Bypass by Spoofing (CVE-ID: CVE-2026-33223)
CWE-ID: CWE-290 - Authentication Bypass by Spoofing
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to incomplete stripping of Nats-Request-Info header. A remote user can spoof their identity to services which rely upon this header.
8) Improper Authorization (CVE-ID: CVE-2026-33222)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass authorization checks.
The vulnerability exists due to insufficient authorization controls in Management API. A remote administrator can bypass the stream restore endpoint.
9) Improper Authentication (CVE-ID: CVE-2026-33248)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to incorrect Subject DN matching. A remote attacker can bypass authentication process and gain unauthorized access to the application.
10) Insertion of Sensitive Information Into Debugging Code (CVE-ID: CVE-2026-33247)
CWE-ID: CWE-215 - Insertion of Sensitive Information Into Debugging Code
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to credentials via command-line argv exposed to monitoring. A remote attacker can gain access to sensitive information on the system.
11) Improper Authentication (CVE-ID: CVE-2026-33215)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to the MQTT hijacking issue via Client ID. A remote attacker can hijack sessions and messages on the target system.
Remediation
Install update from vendor's website.
References
- https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j
- https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc
- https://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5
- https://github.com/nats-io/nats-server/security/advisories/GHSA-55h8-8g96-x4hj
- https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339
- https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j
- https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h
- https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c
- https://github.com/nats-io/nats-server/security/advisories/GHSA-3f24-pcvm-5jqc
- https://github.com/nats-io/nats-server/security/advisories/GHSA-x6g4-f6q3-fqvv
- https://github.com/nats-io/nats-server/security/advisories/GHSA-fcjp-h8cc-6879