Nixpkgs security tracker
NIXPKGS-2026-0762
GitHub issue
published 3 months ago
Permalink
CVE-2026-33249
4.3 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): Low (L)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): None (N)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
NATS: Message tracing can be redirected to arbitrary subject
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.
References
-
https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j x_refsource_CONFIRM
-
https://advisories.nats.io/CVE/secnote-2026-15.txt x_refsource_MISC
Affected products
nats-server
- ==>= 2.12.0-preview.1, < 2.12.6
- ==>= 2.11.0, < 2.11.15
Matching in nixpkgs
pkgs.nats-server
High-Performance server for NATS
Package maintainers
-
@derekcollison Derek Collison <derek@nats.io>
-
@swdunlop Scott W. Dunlop <swdunlop@gmail.com>