{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33247", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T02:42:27.509Z", "datePublished": "2026-03-25T20:02:18.868Z", "dateUpdated": "2026-03-26T19:52:12.479Z"}, "containers": {"cna": {"title": "NATS credentials are exposed in monitoring port via command-line argv", "problemTypes": [{"descriptions": [{"cweId": "CWE-215", "lang": "en", "description": "CWE-215: Insertion of Sensitive Information Into Debugging Code", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-x6g4-f6q3-fqvv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-x6g4-f6q3-fqvv"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-14.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-14.txt"}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"version": "< 2.11.15", "status": "affected"}, {"version": ">= 2.12.0-RC.1, < 2.12.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T20:02:18.868Z"}, "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources."}], "source": {"advisory": "GHSA-x6g4-f6q3-fqvv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33247", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:36:35.906107Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:52:12.479Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33247", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:36:35.906107Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:51:12.713Z"}}], "cna": {"title": "NATS credentials are exposed in monitoring port via command-line argv", "source": {"advisory": "GHSA-x6g4-f6q3-fqvv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"status": "affected", "version": "< 2.11.15"}, {"status": "affected", "version": ">= 2.12.0-RC.1, < 2.12.6"}]}], "references": [{"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-x6g4-f6q3-fqvv", "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-x6g4-f6q3-fqvv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://advisories.nats.io/CVE/secnote-2026-14.txt", "name": "https://advisories.nats.io/CVE/secnote-2026-14.txt", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-215", "description": "CWE-215: Insertion of Sensitive Information Into Debugging Code"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T20:02:18.868Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33247", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:52:12.479Z", "dateReserved": "2026-03-18T02:42:27.509Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T20:02:18.868Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C", "versionEndExcluding": "2.11.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154", "versionEndExcluding": "2.12.6", "versionStartIncluding": "2.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources."}], "id": "CVE-2026-33247", "lastModified": "2026-03-26T17:17:07.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T20:16:33.223", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://advisories.nats.io/CVE/secnote-2026-14.txt"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-x6g4-f6q3-fqvv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-215"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/nats-io/nats-server: NATS-Server: Information disclosure of credentials via monitoring port and command-line arguments", "id": "2451486", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451486"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-214", "details": ["A flaw was found in NATS-Server. If the NATS-Server is configured with static credentials provided through command-line arguments (argv) and the monitoring port is enabled, a remote attacker with access to the monitoring port can view these credentials. The /debug/vars endpoint on the monitoring port exposes an unredacted copy of the command-line arguments, leading to information disclosure of sensitive authentication details."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33247", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/oc-mirror-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-25T20:02:18Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33247\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33247\nhttps://advisories.nats.io/CVE/secnote-2026-14.txt\nhttps://github.com/nats-io/nats-server/security/advisories/GHSA-x6g4-f6q3-fqvv"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.15)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.12.0-RC.1,2.12.6)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "nats-server", "source": "cna", "vendor": "nats-io"}, "product": "nats_server", "vendor": "nats"}], "analysis": {"en": {"generated_at": "2026-03-26T18:26:24.769272+00:00", "value": {"mitigation_remediation": ["Upgrade nats-server to version 2.11.15 or later (for 2.11 series) or 2.12.6 or later (for 2.12 series) to apply the vendor patch.", "If upgrading is not immediately possible, move all static credentials from command\u2011line arguments into a configuration file.", "Disable the monitoring port, or configure it to be accessible only from trusted networks or via firewall.", "Verify that no other services expose sensitive command\u2011line arguments and regularly review monitoring endpoint outputs."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Vendor nats-io\u2019s nats-server product is affected. Versions prior to 2.11.15 and 2.12.6 contain the flaw. The security patch was introduced in nats-server 2.11.15 and 2.12.6, so any deployment running an earlier release must be updated. The issue is tied to the monitoring port feature; systems that expose this port to untrusted networks are at higher risk.", "description_and_impact": "The vulnerability arises when nats-server is started with static credentials supplied as command\u2011line arguments. The monitoring port\u2019s /debug/vars endpoint returns an unredacted copy of those arguments, allowing any user with network access to the monitoring port to view the credentials. Thus an attacker can obtain the usernames and passwords required to connect as a client to the NATS server, leading to unauthorized access and potential compromise of the messaging system.", "risk_and_exploitability": "CVSS score 7.4 indicates high severity. The EPSS score is <1\u202f%, suggesting a low probability of exploitation that may be opportunistic. The vulnerability is not listed in the CISA KEV catalog. Externally, the flaw can be exploited by anybody who can reach the monitoring port, such as a remote attacker who has network connectivity to the NATS server. Internally, local users with access to the same machine may also harvest credentials. Once obtained, the attacker can impersonate legitimate clients and potentially intercept or inject messages."}}}}, "created": "2026-03-25T21:46:19.207280+00:00", "updated": "2026-03-27T09:30:10.014012+00:00", "vendors": ["nats", "nats$PRODUCT$nats_server"]}