CVE-2026-33249

NameCVE-2026-33249
DescriptionNATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nats-server (PTS)bookworm2.9.10-1fixed
trixie2.10.27-1fixed
forky2.12.4-1vulnerable
sid2.12.6-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nats-serversourcebookworm(not affected)
nats-serversourcetrixie(not affected)
nats-serversource(unstable)(unfixed)

Notes

[trixie] - nats-server <not-affected> (Vulnerable code introduced later)
[bookworm] - nats-server <not-affected> (Vulnerable code introduced later)
https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j
https://advisories.nats.io/CVE/secnote-2026-15.txt
Search for package or bug name: Reporting problems