A vulnerability labeled as critical has been found in nats-io nats-server up to 2.11.14/2.12.5 . This affects an unknown part of the component Nats-Request-Info Identity Header Handler . The manipulation results in authentication bypass by spoofing. This vulnerability is reported as CVE-2026-33246 . The attack can be launched remotely. No exploit exists. The affected component should be upgraded.