Skip to content

Commit 015098a

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-55h8-8g96-x4hj GHSA-9983-vrx2-fg9c GHSA-pwx7-fx9r-hr4h
1 parent f6fdec3 commit 015098a

File tree

3 files changed

+241
-0
lines changed

3 files changed

+241
-0
lines changed

advisories/github-reviewed/2026/03/GHSA-55h8-8g96-x4hj/GHSA-55h8-8g96-x4hj.json

Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-55h8-8g96-x4hj",
4+
"modified": "2026-03-24T21:50:25Z",
5+
"published": "2026-03-24T21:50:25Z",
6+
"aliases": [
7+
"CVE-2026-33246"
8+
],
9+
"summary": "NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers",
10+
"details": "### Background\n\nNATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.\n\nThe nats-server allows hub/spoke topologies using \"leafnode\" connections by other nats-servers. NATS messages can have headers.\n\n### Problem Description\n\nThe nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker.\n\nA leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked.\n\nThus NATS clients relying upon the Nats-Request-Info: header could be spoofed.\n\nDoes not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header.\n\n### Affected Versions\n\nAny version before v2.12.6 or v2.11.15\n\n### Workarounds\n\nNone.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/nats-io/nats-server/v2"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.11.15"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/nats-io/nats-server/v2"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "2.12.0-RC.1"
48+
},
49+
{
50+
"fixed": "2.12.6"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-55h8-8g96-x4hj"
61+
},
62+
{
63+
"type": "WEB",
64+
"url": "https://advisories.nats.io/CVE/secnote-2026-08.txt"
65+
},
66+
{
67+
"type": "PACKAGE",
68+
"url": "https://github.com/nats-io/nats-server"
69+
}
70+
],
71+
"database_specific": {
72+
"cwe_ids": [
73+
"CWE-287",
74+
"CWE-290"
75+
],
76+
"severity": "MODERATE",
77+
"github_reviewed": true,
78+
"github_reviewed_at": "2026-03-24T21:50:25Z",
79+
"nvd_published_at": null
80+
}
81+
}

advisories/github-reviewed/2026/03/GHSA-9983-vrx2-fg9c/GHSA-9983-vrx2-fg9c.json

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-9983-vrx2-fg9c",
4+
"modified": "2026-03-24T21:49:35Z",
5+
"published": "2026-03-24T21:49:34Z",
6+
"aliases": [
7+
"CVE-2026-33222"
8+
],
9+
"summary": "NATS JetStream has an authorization bypass through its Management API",
10+
"details": "### Background\n\nNATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.\n\nThe persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore.\n\n### Problem Description\n\nUsers with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them.\n\n### Affected Versions\n\nAny version before v2.12.6 or v2.11.15\n\n### Workarounds\n\nIf developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/nats-io/nats-server/v2"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.11.15"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/nats-io/nats-server/v2"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "2.12.0-RC.1"
48+
},
49+
{
50+
"fixed": "2.12.6"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-9983-vrx2-fg9c"
61+
},
62+
{
63+
"type": "WEB",
64+
"url": "https://advisories.nats.io/CVE/secnote-2026-12.txt"
65+
},
66+
{
67+
"type": "PACKAGE",
68+
"url": "https://github.com/nats-io/nats-server"
69+
}
70+
],
71+
"database_specific": {
72+
"cwe_ids": [
73+
"CWE-285"
74+
],
75+
"severity": "MODERATE",
76+
"github_reviewed": true,
77+
"github_reviewed_at": "2026-03-24T21:49:34Z",
78+
"nvd_published_at": null
79+
}
80+
}

advisories/github-reviewed/2026/03/GHSA-pwx7-fx9r-hr4h/GHSA-pwx7-fx9r-hr4h.json

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-pwx7-fx9r-hr4h",
4+
"modified": "2026-03-24T21:50:05Z",
5+
"published": "2026-03-24T21:50:05Z",
6+
"aliases": [
7+
"CVE-2026-33223"
8+
],
9+
"summary": "NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing",
10+
"details": "### Background\n\nNATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.\n\nThe nats-server offers a `Nats-Request-Info:` message header, providing information about a request.\n\n### Problem Description\n\nThe NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.\n\nAn attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.\n\n### Affected Versions\n\nAny version before v2.12.6 or v2.11.15\n\n### Workarounds\n\nNone.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/nats-io/nats-server/v2"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.11.15"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/nats-io/nats-server/v2"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "2.12.0-RC.1"
48+
},
49+
{
50+
"fixed": "2.12.6"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h"
61+
},
62+
{
63+
"type": "WEB",
64+
"url": "https://advisories.nats.io/CVE/secnote-2026-09.txt"
65+
},
66+
{
67+
"type": "PACKAGE",
68+
"url": "https://github.com/nats-io/nats-server"
69+
}
70+
],
71+
"database_specific": {
72+
"cwe_ids": [
73+
"CWE-290"
74+
],
75+
"severity": "MODERATE",
76+
"github_reviewed": true,
77+
"github_reviewed_at": "2026-03-24T21:50:05Z",
78+
"nvd_published_at": null
79+
}
80+
}

0 commit comments

Comments
 (0)