logo

Database

Spoofing In github.com/nats-io/nats-server/v2

Description

NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server offers a Nats-Request-Info: message header, providing information about a request.

Problem Description

The NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.

An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-332232. NVD-2026-332233. OSV-2026-332234. GHSA-pwx7-fx9r-hr4h5. GCVE-2026-33223

References

1. https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h2. https://advisories.nats.io/CVE/secnote-2026-09.txt

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.