CVE-2026-27889
published 2026-03-25CVE-2026-27889: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and…
PriorityP349high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.58%
43.4th percentile
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nats-server | < nats-server 2.12.6-1 (forky) | nats-server 2.12.6-1 (forky) |
| github.com | nats-io_nats-server_v2 | >= 2.12.0 < 2.12.5 | 2.12.5 |
| github.com | nats-io_nats-server_v2 | >= 2.2.0 < 2.11.14 | 2.11.14 |
| linuxfoundation | nats-server | >= 0 < 2.12.6-1 | 2.12.6-1 |
| linuxfoundation | nats-server | >= 2.12.0 < 2.12.5 | 2.12.5 |
| linuxfoundation | nats-server | >= 2.2.0 < 2.11.14 | 2.11.14 |
| nats-io | nats-server | — | — |
| nats-io | nats-server | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead in github.com/nats-io/nats-server
osv·2026-03-26
CVE-2026-27889 NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead in github.com/nats-io/nats-server
NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead in github.com/nats-io/nats-server
NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead in github.com/nats-io/nats-server
OSV
CVE-2026-27889: NATS-Server is a High-Performance server for NATS
osv·2026-03-25·CVSS 7.5
CVE-2026-27889 [HIGH] CVE-2026-27889: NATS-Server is a High-Performance server for NATS
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack.
OSV
NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
osv·2026-03-25
CVE-2026-27889 [HIGH] NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
When using WebSockets, a malicious client can trigger a server crash with crafted frames, before authentication.
### Problem Description
A missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port.
### Affected versions
Version 2 from v2.2.0 onwards, prior to v2.11.14 or v2.12.5
### Workarounds
This only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If ab
GHSA
NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
ghsa·2026-03-25
CVE-2026-27889 [HIGH] CWE-190 NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
When using WebSockets, a malicious client can trigger a server crash with crafted frames, before authentication.
### Problem Description
A missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port.
### Affected versions
Version 2 from v2.2.0 onwards, prior to v2.11.14 or v2.12.5
### Workarounds
This only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If ab
Red Hat
github.com/nats-io/nats-server: NATS-Server: Denial of Service via malformed WebSockets frame
vendor_redhat·2026-03-25·CVSS 7.5
CVE-2026-27889 [HIGH] CWE-1286 github.com/nats-io/nats-server: NATS-Server: Denial of Service via malformed WebSockets frame
github.com/nats-io/nats-server: NATS-Server: Denial of Service via malformed WebSockets frame
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack.
A flaw was found in NATS-Server, a high-perform
Debian
CVE-2026-27889: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
vendor_debian·2026·CVSS 7.5
CVE-2026-27889 [HIGH] CVE-2026-27889: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack.
Scope: local
bookworm: open
forky: resolved (fixed in 2.12.6-1)
sid: resolved (fixed in 2.12.6-1)
trixie: open
No detection rules found.
No public exploits indexed.
https://advisories.nats.io/CVE/secnote-2026-03.txthttps://github.com/nats-io/nats-server/security/advisories/GHSA-pq2q-rcw4-3hr6https://access.redhat.com/errata/RHSA-2026:21769https://access.redhat.com/errata/RHSA-2026:22347https://access.redhat.com/errata/RHSA-2026:23345https://access.redhat.com/security/cve/CVE-2026-27889https://bugzilla.redhat.com/show_bug.cgi?id=2451447https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27889.json
2026-03-25
Published