{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33249", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T02:42:27.509Z", "datePublished": "2026-03-25T20:21:30.156Z", "dateUpdated": "2026-03-25T20:21:30.156Z"}, "containers": {"cna": {"title": "NATS: Message tracing can be redirected to arbitrary subject", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-15.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-15.txt"}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"version": ">= 2.11.0, < 2.11.15", "status": "affected"}, {"version": ">= 2.12.0-preview.1, < 2.12.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T20:21:30.156Z"}, "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available."}], "source": {"advisory": "GHSA-8m2x-3m6q-6w8j", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available."}], "id": "CVE-2026-33249", "lastModified": "2026-03-25T21:16:47.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T21:16:47.737", "references": [{"source": "security-advisories@github.com", "url": "https://advisories.nats.io/CVE/secnote-2026-15.txt"}, {"source": "security-advisories@github.com", "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/nats-io/nats-server: NATS-Server: Unauthorized trace message redirection via message tracing headers", "id": "2451485", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451485"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-1220", "details": ["A flaw was found in NATS-Server. A valid client can exploit this flaw by manipulating message tracing headers to redirect trace messages to any valid subject, even those for which the client lacks publish permissions. This allows for unauthorized sending of trace messages, potentially bypassing intended access controls and leading to information misdirection within the NATS.io messaging system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33249", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Fix deferred", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/oc-mirror-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-25T20:21:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33249\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33249\nhttps://advisories.nats.io/CVE/secnote-2026-15.txt\nhttps://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j"], "threat_severity": "Moderate"}

{}