Lucene search
K

526 matches found

CVE
CVE
added 2026/03/25 8:21 p.m.17 views

CVE-2026-33249

NATS-Server vulnerability CVE-2026-33249 affects versions 2.11.0 through 2.11.14 and 2.12.0 through 2.12.5. A valid client using message tracing headers can cause trace messages to be sent to an arbitrary valid subject, including subjects the client cannot publish to; the payload is a valid trace...

4.3CVSS5.9AI score0.00228EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/25 8:21 p.m.3 views

CVE-2026-33249 NATS: Message tracing can be redirected to arbitrary subject

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject,...

4.3CVSS5.9AI score0.00228EPSS
Exploits0References2
AlpineLinux
AlpineLinux
added 2026/03/25 8:21 p.m.2 views

CVE-2026-33249

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject,...

4.3CVSS5.9AI score0.00228EPSS
Exploits0
Debian CVE
Debian CVE
added 2026/03/25 8:20 p.m.4 views

CVE-2026-33223

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was...

6.4CVSS6AI score0.00211EPSS
Exploits0
Cvelist
Cvelist
added 2026/03/25 8:20 p.m.26 views

CVE-2026-33223 NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was...

6.4CVSS0.00211EPSS
Exploits0References2
CVE
CVE
added 2026/03/25 8:20 p.m.25 views

CVE-2026-33223

CVE-2026-33223 affects NATS-Server. Prior to versions 2.11.15 and 2.12.6, the Nats-Request-Info header, intended to guarantee identity, could still be stripped incompletely from inbound messages, allowing an attacker with valid credentials to spoof identity to services relying on that header. The...

6.4CVSS5.8AI score0.00211EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/25 8:20 p.m.5 views

CVE-2026-33223 NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was...

6.4CVSS5.8AI score0.00211EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/25 8:18 p.m.5 views

CVE-2026-33248

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with verifyandmap to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be...

4.2CVSS5.8AI score0.00143EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/25 8:18 p.m.5 views

CVE-2026-33248 NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with verifyandmap to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be...

4.2CVSS5.8AI score0.00143EPSS
Exploits0References4
CVE
CVE
added 2026/03/25 8:18 p.m.13 views

CVE-2026-33248

NATS-Server has an authentication bypass vulnerability in mTLS verify_and_map where certain RDN patterns in the client certificate Subject DN were not correctly enforced. A valid certificate from a trusted CA could bypass identity checks on versions prior to 2.11.15 and 2.12.6. The issue is consi...

4.2CVSS5.8AI score0.00143EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/03/25 8:18 p.m.25 views

CVE-2026-33248 NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with verifyandmap to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be...

4.2CVSS0.00143EPSS
Exploits0References2
Debian CVE
Debian CVE
added 2026/03/25 8:18 p.m.9 views

CVE-2026-33248

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with verifyandmap to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be...

4.2CVSS6.1AI score0.00143EPSS
Exploits0
AlpineLinux
AlpineLinux
added 2026/03/25 8:18 p.m.6 views

CVE-2026-33248

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with verifyandmap to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be...

4.2CVSS5.8AI score0.00143EPSS
Exploits0
OSV
OSV
added 2026/03/25 8:16 p.m.2 views

DEBIAN-CVE-2026-33246

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a Nats-Request-Info: message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NAT...

5.4CVSS6.2AI score0.00143EPSS
Exploits0References1
NVD
NVD
added 2026/03/25 8:16 p.m.11 views

CVE-2026-33247

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv the command-line, then those credentials are visible to any user who can see the...

7.5CVSS0.00414EPSS
Exploits0References8
OSV
OSV
added 2026/03/25 8:16 p.m.3 views

DEBIAN-CVE-2026-33247

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv the command-line, then those credentials are visible to any user who can see the...

5.3CVSS6.1AI score0.00414EPSS
Exploits0References1
OSV
OSV
added 2026/03/25 8:16 p.m.3 views

DEBIAN-CVE-2026-33216

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement JWT and exposed via monitoring...

7.5CVSS6AI score0.00365EPSS
Exploits0References1
OSV
OSV
added 2026/03/25 8:16 p.m.4 views

DEBIAN-CVE-2026-33217

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the $MQTT. namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions...

6.5CVSS6.1AI score0.00259EPSS
Exploits0References1
OSV
OSV
added 2026/03/25 8:16 p.m.2 views

DEBIAN-CVE-2026-33218

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain ...

7.5CVSS6AI score0.00616EPSS
Exploits0References1
OSV
OSV
added 2026/03/25 8:16 p.m.3 views

DEBIAN-CVE-2026-33219

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a...

5.3CVSS6.1AI score0.00532EPSS
Exploits0References1
Rows per page
Query Builder