CVE-2026-33247

EUVD-2026-15975

25.03.2026, 20:16

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.4 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
GitHub_M	CNA	7.4 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
linuxfoundation	nats-server	𝑥 < 2.11.15
linuxfoundation	nats-server	2.12.0 ≤ 𝑥 < 2.12.6

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-215 - Insertion of Sensitive Information Into Debugging Code
The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.

References

https://advisories.nats.io/CVE/secnote-2026-14.txt

https://github.com/nats-io/nats-server/security/advisories/GHSA-x6g4-f6q3-fqvv