Publish GHSA-8m2x-3m6q-6w8j

advisory-database[bot] · advisory-database[bot] · commit 5925f095ae38 · 2026-03-24T20:38:52.000Z
diff --git a/advisories/github-reviewed/2026/03/GHSA-8m2x-3m6q-6w8j/GHSA-8m2x-3m6q-6w8j.json b/advisories/github-reviewed/2026/03/GHSA-8m2x-3m6q-6w8j/GHSA-8m2x-3m6q-6w8j.json
@@ -0,0 +1,80 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8m2x-3m6q-6w8j",
+  "modified": "2026-03-24T20:37:08Z",
+  "published": "2026-03-24T20:37:08Z",
+  "aliases": [
+    "CVE-2026-33249"
+  ],
+  "summary": "NATS: Message tracing can be redirected to arbitrary subject",
+  "details": "### Impact\nA valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission.  The payload is a valid trace message and not attacker chosen.\n\n### Patches\nFixed in nats-server 2.12.6 & 2.11.15\n\n### Workarounds\nNone safe to use.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/nats-io/nats-server/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.11.0"
+            },
+            {
+              "fixed": "2.11.15"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/nats-io/nats-server/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.12.0-preview.1"
+            },
+            {
+              "fixed": "2.12.6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8m2x-3m6q-6w8j"
+    },
+    {
+      "type": "WEB",
+      "url": "https://advisories.nats.io/CVE/secnote-2026-15.txt"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/nats-io/nats-server"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-24T20:37:08Z",
+    "nvd_published_at": null
+  }
+}
