CVE-2026-33247

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33247
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33247.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33247
Aliases
Downstream
Related
Published
2026-03-25T20:02:18.868Z
Modified
2026-04-10T05:42:40.039174Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
NATS credentials are exposed in monitoring port via command-line argv
Details

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The /debug/vars end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33247.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-215"
    ]
}
References

Affected packages

Git / github.com/nats-io/nats-server

Affected ranges

Type
GIT
Repo
https://github.com/nats-io/nats-server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
bef17e1d9de6574fae0eabe1798db0d4529834e4
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.11.15"
        }
    ]
}
Type
GIT
Repo
https://github.com/nats-io/nats-server
Events
Introduced
4dccf778573cd9a9e52fb8f119718459f6f2f761
Fixed
0e0639058e0d2d8fce0cc34941f9897da152ab32
Database specific 
{
    "versions": [
        {
            "introduced": "2.12.0-RC.1"
        },
        {
            "fixed": "2.12.6"
        }
    ]
}

Affected versions

v0.*
v0.5.1
v0.5.2
v0.5.4
v0.5.6
v0.6.0
v0.6.2
v0.6.4
v0.6.6
v0.6.8
v0.7.0
v0.7.2
v0.8.0
v0.8.1
v0.9.2
v0.9.4
v0.9.6
v1.*
v1.0.0
v1.0.2
v1.0.4
v1.0.6
v1.1.0
v1.2.0
v1.3.0
v2.*
v2.0.0
v2.0.0-RC14
v2.0.0-RC19
v2.0.2
v2.0.4
v2.1.0
v2.1.2
v2.1.4
v2.1.6
v2.1.7
v2.10.0
v2.10.1
v2.10.2
v2.10.3
v2.11.0
v2.11.0-RC.1
v2.11.0-RC.2
v2.11.0-RC.3
v2.11.0-RC.4
v2.11.0-RC.5
v2.11.10
v2.11.10-RC.1
v2.11.11
v2.11.11-RC.1
v2.11.11-RC.2
v2.11.11-RC.3
v2.11.11-RC.4
v2.11.12
v2.11.12-RC.1
v2.11.12-RC.2
v2.11.12-RC.3
v2.11.12-RC.4
v2.11.12-RC.5
v2.11.12-RC.6
v2.11.12-RC.7
v2.11.14
v2.11.2
v2.11.2-RC.1
v2.11.2-RC.2
v2.11.2-RC.3
v2.11.3
v2.11.3-RC.1
v2.11.3-RC.2
v2.11.4
v2.11.4-RC.1
v2.11.4-RC.2
v2.11.4-RC.3
v2.11.5
v2.11.5-RC.1
v2.11.5-RC.2
v2.11.5-RC.3
v2.11.5-RC.4
v2.11.6
v2.11.6-RC.1
v2.11.7
v2.11.7-RC.1
v2.11.7-RC.2
v2.11.7-RC.3
v2.11.8
v2.11.8-RC.1
v2.11.9
v2.11.9-RC.1
v2.11.9-RC.2
v2.11.9-RC.3
v2.12.0
v2.12.0-RC.1
v2.12.0-RC.2
v2.12.0-RC.3
v2.12.0-RC.4
v2.12.0-RC.5
v2.12.0-RC.6
v2.12.1
v2.12.1-RC.1
v2.12.1-RC.2
v2.12.1-RC.3
v2.12.1-RC.4
v2.12.1-RC.5
v2.12.2
v2.12.2-RC.1
v2.12.2-RC.2
v2.12.2-RC.3
v2.12.2-RC.4
v2.12.3
v2.12.3-RC.1
v2.12.3-RC.2
v2.12.3-RC.3
v2.12.3-RC.4
v2.12.3-RC.5
v2.12.4
v2.12.4-RC.1
v2.12.4-RC.2
v2.12.4-RC.3
v2.12.4-RC.4
v2.12.4-RC.5
v2.12.4-RC.6
v2.12.5
v2.12.5-RC.1
v2.12.5-RC.2
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.4.0
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.7.0
v2.7.0-rc1
v2.7.0-rc2
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.9.0
v2.9.1
v2.9.10
v2.9.11
v2.9.12
v2.9.14
v2.9.15
v2.9.16
v2.9.17
v2.9.18
v2.9.19
v2.9.2
v2.9.20
v2.9.21
v2.9.22
v2.9.3
v2.9.4
v2.9.5
v2.9.6
v2.9.7
v2.9.8
v2.9.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33247.json"