Subject: nats-server: Internal identity header Nats-Request-Info spoofable

NATS-advisory-ID: 2026-09
Aliases: CVE-2026-33223, GHSA-pwx7-fx9r-hr4h
Date: 2026-03-24
Fixed-In: 2.12.6, 2.11.15

Background:

NATS.io is a high performance open source pub-sub distributed communication
technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server offers a `Nats-Request-Info:` message header, providing
information about a request.


Problem Description:

The NATS message header Nats-Request-Info: is supposed to be a guarantee
of identity by the NATS server, but the stripping of this header from
inbound messages was not fully effective.

An attacker with valid credentials for any regular client interface
could thus spoof their identity to services which rely upon this header.


Affected Versions:

 nats-server: any version before v2.12.6 or v2.11.15


Workarounds:

None.


References:

 * This document is canonically:
   <https://advisories.nats.io/CVE/secnote-2026-09.txt>
 * GHSA advisory:
   <https://github.com/nats-io/nats-server/security/advisories/GHSA-pwx7-fx9r-hr4h>
 * MITRE CVE entry:
   <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33223>