CVE-2026-33249

medium

Red Hat

CVSS v3 Base Score

6.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

EPSS Score

0.0%

Exploitation probability in 30 days

Top 93% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Confidentiality

Low

Integrity

Low

Availability

None

Published: March 25, 2026 (49 days ago)

Last Modified: March 25, 2026

Vendor: Red Hat

Source: REDHAT

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is a valid trace message and not chosen by the attacker. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.

CWE

CWE-1220

Affected Products

Multicluster Global HubRed Hat OpenShift Container Platform 4

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 advisories.nats.io 🔗 github.com

CVE-2026-33249

Vulnerability Report

Description

CWE

Affected Products

References