{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T13:31:22.809","vulnerabilities":[{"cve":{"id":"CVE-2026-33246","sourceIdentifier":"security-advisories@github.com","published":"2026-03-25T20:16:33.010","lastModified":"2026-03-26T17:16:21.447","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker. A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked. Prior to versions 2.11.15 and 2.12.6, NATS clients relying upon the Nats-Request-Info: header could be spoofed. This does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available."},{"lang":"es","value":"NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajería nativo de la nube y del borde. El nats-server ofrece un encabezado de mensaje 'Nats-Request-Info:', que proporciona información sobre una solicitud. Se supone que esto proporciona suficiente información para permitir la identificación de cuenta/usuario, de modo que los clientes NATS puedan tomar sus propias decisiones sobre cómo confiar en un mensaje, siempre que confíen en el nats-server como un intermediario. Un nodo hoja que se conecta a un nats-server no es completamente confiable a menos que la cuenta del sistema también esté interconectada. Por lo tanto, las afirmaciones de identidad no deberían haberse propagado sin verificar. Antes de las versiones 2.11.15 y 2.12.6, los clientes NATS que dependían del encabezado 'Nats-Request-Info:' podían ser suplantados. Esto no afecta directamente al nats-server en sí, pero las puntuaciones de Confidencialidad e Integridad de CVSS se basan en lo que un cliente hipotético podría decidir hacer con este encabezado NATS. Las versiones 2.11.15 y 2.12.6 contienen una solución. No hay soluciones alternativas conocidas disponibles."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","baseScore":6.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":2.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.5}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-287"},{"lang":"en","value":"CWE-290"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*","versionEndExcluding":"2.11.15","matchCriteriaId":"13EA156E-2759-4586-A22E-CDEAAD4D610C"},{"vulnerable":true,"criteria":"cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*","versionStartIncluding":"2.12.0","versionEndExcluding":"2.12.6","matchCriteriaId":"4E347CFB-C56D-4FD8-8DD8-3D34C08D7154"}]}]}],"references":[{"url":"https://advisories.nats.io/CVE/secnote-2026-08.txt","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/nats-io/nats-server/security/advisories/GHSA-55h8-8g96-x4hj","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}