Bug 2451479 (CVE-2026-33223)

Summary: CVE-2026-33223 nats-server: github.com/nats-io/nats-server: NATS-Server: Identity spoofing via `Nats-Request-Info:` header
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alcohan, gparvin, jbalunas, pahickey, rhaigner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in NATS-Server. An authenticated attacker could exploit a vulnerability where the `Nats-Request-Info:` message header was not effectively stripped from inbound messages. This allowed the attacker to spoof their identity to services relying on this header, potentially leading to unauthorized access or actions.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2451503    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-25 21:01:52 UTC
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds are available.