CVE-2026-33249

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33249.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-863"
    ]
}

References

Affected packages

Git / github.com/nats-io/nats-server

Affected ranges

Type

GIT

Repo

https://github.com/nats-io/nats-server

Events

Introduced

6567541948781c4071add63e36baa0d8ece594c6

Fixed

bef17e1d9de6574fae0eabe1798db0d4529834e4

Database specific

{
    "versions": [
        {
            "introduced": "2.11.0"
        },
        {
            "fixed": "2.11.15"
        }
    ]
}

Type

GIT

Repo

https://github.com/nats-io/nats-server

Events

Introduced

ef5569d9005b1c12f4ef84a01932fcdd1cea8faa

Fixed

0e0639058e0d2d8fce0cc34941f9897da152ab32

Database specific

{
    "versions": [
        {
            "introduced": "2.12.0-preview.1"
        },
        {
            "fixed": "2.12.6"
        }
    ]
}

Affected versions

v2.*

v2.10.10

v2.10.11

v2.10.12

v2.10.14

v2.10.16

v2.10.17

v2.10.17-RC.1

v2.10.17-RC.2

v2.10.17-RC.3

v2.10.17-RC.4

v2.10.17-RC.5

v2.10.17-RC.6

v2.10.17-RC.7

v2.10.17-RC.8

v2.10.17-RC.9

v2.10.18

v2.10.18-RC.1

v2.10.18-RC.2

v2.10.18-RC.3

v2.10.18-RC.4

v2.10.19

v2.10.19-RC.2

v2.10.19-RC.3

v2.10.19-RC.4

v2.10.19-RC.5

v2.10.19-RC.6

v2.10.20

v2.10.21

v2.10.21-RC.1

v2.10.21-RC.2

v2.10.21-RC.3

v2.10.21-RC.4

v2.10.22

v2.10.22-RC.1

v2.10.22-RC.2

v2.10.22-RC.3

v2.10.23

v2.10.23-RC.1

v2.10.23-RC.10

v2.10.23-RC.11

v2.10.23-RC.12

v2.10.23-RC.2

v2.10.23-RC.3

v2.10.23-RC.4

v2.10.23-RC.5

v2.10.23-RC.6

v2.10.23-RC.7

v2.10.23-RC.8

v2.10.24

v2.10.24-RC.1

v2.10.24-RC.2

v2.10.24-RC.3

v2.10.25

v2.10.25-RC.1

v2.10.25-RC.2

v2.10.25-RC.3

v2.10.26

v2.10.26-RC.1

v2.10.26-RC.2

v2.10.26-RC.3

v2.10.26-RC.4

v2.10.26-RC.5

v2.10.26-RC.6

v2.10.26-RC.7

v2.10.27

v2.10.27-binary

v2.10.28

v2.10.28-RC.1

v2.10.28-RC.2

v2.10.28-RC.3

v2.10.29

v2.10.29-RC.1

v2.10.29-RC.2

v2.10.4

v2.10.5

v2.10.6

v2.10.7

v2.10.8

v2.10.9

v2.11.0

v2.11.0-RC.1

v2.11.0-RC.2

v2.11.0-RC.3

v2.11.0-RC.4

v2.11.0-RC.5

v2.11.0-dev

v2.11.0-preview.1

v2.11.0-preview.2

v2.11.1

v2.11.1-binary

v2.11.10

v2.11.10-RC.1

v2.11.11

v2.11.11-RC.1

v2.11.11-RC.2

v2.11.11-RC.3

v2.11.11-RC.4

v2.11.12

v2.11.12-RC.1

v2.11.12-RC.2

v2.11.12-RC.3

v2.11.12-RC.4

v2.11.12-RC.5

v2.11.12-RC.6

v2.11.12-RC.7

v2.11.14

v2.11.2

v2.11.2-RC.1

v2.11.2-RC.2

v2.11.2-RC.3

v2.11.3

v2.11.3-RC.1

v2.11.3-RC.2

v2.11.4

v2.11.4-RC.1

v2.11.4-RC.2

v2.11.4-RC.3

v2.11.5

v2.11.5-RC.1

v2.11.5-RC.2

v2.11.5-RC.3

v2.11.5-RC.4

v2.11.6

v2.11.6-RC.1

v2.11.7

v2.11.7-RC.1

v2.11.7-RC.2

v2.11.7-RC.3

v2.11.8

v2.11.8-RC.1

v2.11.9

v2.11.9-RC.1

v2.11.9-RC.2

v2.11.9-RC.3

v2.12.0

v2.12.0-RC.1

v2.12.0-RC.2

v2.12.0-RC.3

v2.12.0-RC.4

v2.12.0-RC.5

v2.12.0-RC.6

v2.12.0-preview.1

v2.12.0-preview.2

v2.12.1

v2.12.1-RC.1

v2.12.1-RC.2

v2.12.1-RC.3

v2.12.1-RC.4

v2.12.1-RC.5

v2.12.2

v2.12.2-RC.1

v2.12.2-RC.2

v2.12.2-RC.3

v2.12.2-RC.4

v2.12.3

v2.12.3-RC.1

v2.12.3-RC.2

v2.12.3-RC.3

v2.12.3-RC.4

v2.12.3-RC.5

v2.12.4

v2.12.4-RC.1

v2.12.4-RC.2

v2.12.4-RC.3

v2.12.4-RC.4

v2.12.4-RC.5

v2.12.4-RC.6

v2.12.5

v2.12.5-RC.1

v2.12.5-RC.2

v2.12.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33249.json"