NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing

GHSA-pwx7-fx9r-hr4h · BIT-nats-2026-33223 · CVE-2026-33223 · GO-2026-4835

Published Mar 24, 2026 · Modified Mar 27, 2026

Description

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server offers a Nats-Request-Info: message header, providing information about a request.

Problem Description

The NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.

An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

References

WEB https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33223
WEB https://advisories.nats.io/CVE/secnote-2026-09.txt
PACKAGE https://github.com/nats-io/nats-server

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes