CVE-2026-33249: NATS: Message tracing can be redirected to arbitrary subject

March 24, 2026 (updated March 25, 2026)

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server supports telemetry on messages, using the per-message NATS headers.

Problem Description

A valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission.

The payload is a valid trace message and not chosen by the attacker.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

References

advisories.nats.io/CVE/secnote-2026-15.txt
github.com/advisories/GHSA-8m2x-3m6q-6w8j
github.com/nats-io/nats-server
github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j
nvd.nist.gov/vuln/detail/CVE-2026-33249

Code Behaviors & Features

Detect and mitigate CVE-2026-33249 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →