Primary

Context

NATS-Server Message Tracing Vulnerability Allows Unauthorized Subject Redirection

Vulnerability

Patched

A vulnerability in NATS-Server versions 2.11.0 prior to 2.11.15 and 2.12.0 prior to 2.12.6 allows clients using message tracing headers to redirect trace messages to arbitrary subjects, including those the client is not authorized to publish to. The issue arises because the payload, while a valid trace message, is not selected by the client. This vulnerability could lead to unauthorized message delivery on the NATS messaging system.

Impact

Exploitation of this vulnerability could result in unauthorized message tracing redirection, allowing trace messages to be sent to subjects without proper publish permissions.

Remediation

Users can upgrade to NATS-Server versions 2.11.15 or 2.12.6 to address this vulnerability.

Added: Mar 25, 2026, 9:53 PM

Updated: Mar 25, 2026, 9:53 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

0.6

exploitability

5.2

remediation

7.7

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

0.6

exploitability

5.2

remediation

7.7

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NATS-Server Message Tracing Vulnerability Allows Unauthorized Subject Redirection

Vulnerability

Impact

Remediation

Affected Products

NATS-Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating