CVE-2026-33218
published 2026-03-25CVE-2026-33218: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.62%
45.0th percentile
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nats-server | < nats-server 2.12.6-1 (forky) | nats-server 2.12.6-1 (forky) |
| github.com | nats-io_nats-server_v2 | >= 0 < 2.11.15 | 2.11.15 |
| github.com | nats-io_nats-server_v2 | >= 2.12.0-RC.1 < 2.12.6 | 2.12.6 |
| linuxfoundation | nats-server | < 2.11.15 | 2.11.15 |
| linuxfoundation | nats-server | >= 0 < 2.12.6-1 | 2.12.6-1 |
| linuxfoundation | nats-server | >= 2.12.0 < 2.12.6 | 2.12.6 |
| nats-io | nats-server | < < 2.11.15 | < 2.11.15 |
| nats-io | nats-server | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
nats-server: github.com/nats-io/nats-server: NATS-Server: Denial of Service via malformed message pre-authentication on leafnode port
vendor_redhat·2026-03-25·CVSS 7.5
CVE-2026-33218 [HIGH] CWE-1286 nats-server: github.com/nats-io/nats-server: NATS-Server: Denial of Service via malformed message pre-authentication on leafnode port
nats-server: github.com/nats-io/nats-server: NATS-Server: Denial of Service via malformed message pre-authentication on leafnode port
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered.
A flaw was found in NATS-Server, a high-performance messaging system. A remote attacker, by connecting to the leafnode port and sending a specially crafted malformed message before authentication
Debian
CVE-2026-33218: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
vendor_debian·2026·CVSS 7.5
CVE-2026-33218 [HIGH] CVE-2026-33218: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered.
Scope: local
bookworm: open
forky: resolved (fixed in 2.12.6-1)
sid: resolved (fixed in 2.12.6-1)
trixie: open
OSV
NATS has pre-auth server panic via leafnode handling in github.com/nats-io/nats-server
osv·2026-03-26
CVE-2026-33218 NATS has pre-auth server panic via leafnode handling in github.com/nats-io/nats-server
NATS has pre-auth server panic via leafnode handling in github.com/nats-io/nats-server
NATS has pre-auth server panic via leafnode handling in github.com/nats-io/nats-server
OSV
CVE-2026-33218: NATS-Server is a High-Performance server for NATS
osv·2026-03-25·CVSS 7.5
CVE-2026-33218 [HIGH] CVE-2026-33218: NATS-Server is a High-Performance server for NATS
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered.
GHSA
NATS has pre-auth server panic via leafnode handling
ghsa·2026-03-24·CVSS 7.5
CVE-2026-33218 [HIGH] CWE-20 NATS has pre-auth server panic via leafnode handling
NATS has pre-auth server panic via leafnode handling
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.
### Problem Description
A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.
### Affected Versions
Any version before v2.12.6 or v2.11.15
### Workarounds
1. Disable leafnode support if not needed.
2. Restrict network connections to your leafnode port, if plausible without compromising the service offered.
### References
* This document is canonically:
* GHSA advisory:
* MITRE CVE entry:
OSV
NATS has pre-auth server panic via leafnode handling
osv·2026-03-24·CVSS 7.5
CVE-2026-33218 [HIGH] NATS has pre-auth server panic via leafnode handling
NATS has pre-auth server panic via leafnode handling
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.
### Problem Description
A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.
### Affected Versions
Any version before v2.12.6 or v2.11.15
### Workarounds
1. Disable leafnode support if not needed.
2. Restrict network connections to your leafnode port, if plausible without compromising the service offered.
### References
* This document is canonically:
* GHSA advisory:
* MITRE CVE entry:
No detection rules found.
No public exploits indexed.
https://advisories.nats.io/CVE/secnote-2026-10.txthttps://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339https://access.redhat.com/errata/RHSA-2026:21769https://access.redhat.com/errata/RHSA-2026:22347https://access.redhat.com/errata/RHSA-2026:23345https://access.redhat.com/security/cve/CVE-2026-33218https://bugzilla.redhat.com/show_bug.cgi?id=2451450https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33218.json
2026-03-25
Published