cbcvebase.
CVE-2026-27889
published 2026-03-25

CVE-2026-27889: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and…

PriorityP349high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.58%
43.4th percentile
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiannats-server< nats-server 2.12.6-1 (forky)nats-server 2.12.6-1 (forky)
github.comnats-io_nats-server_v2>= 2.12.0 < 2.12.52.12.5
github.comnats-io_nats-server_v2>= 2.2.0 < 2.11.142.11.14
linuxfoundationnats-server>= 0 < 2.12.6-12.12.6-1
linuxfoundationnats-server>= 2.12.0 < 2.12.52.12.5
linuxfoundationnats-server>= 2.2.0 < 2.11.142.11.14
nats-ionats-server
nats-ionats-server

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.