CVE-2026-33219
published 2026-03-25CVE-2026-33219: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which…
PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.53%
40.9th percentile
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nats-server | < nats-server 2.12.6-1 (forky) | nats-server 2.12.6-1 (forky) |
| github.com | nats-io_nats-server_v2 | >= 0 < 2.11.15 | 2.11.15 |
| github.com | nats-io_nats-server_v2 | >= 2.12.0-RC.1 < 2.12.6 | 2.12.6 |
| linuxfoundation | nats-server | < 2.11.15 | 2.11.15 |
| linuxfoundation | nats-server | >= 0 < 2.12.6-1 | 2.12.6-1 |
| linuxfoundation | nats-server | >= 2.12.0 < 2.12.6 | 2.12.6 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
ghsa7.5HIGH
osv7.5HIGH
vendor_debian5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
NATS is vulnerable to pre-auth DoS through WebSockets client service in github.com/nats-io/nats-server
osv·2026-03-26
CVE-2026-33219 NATS is vulnerable to pre-auth DoS through WebSockets client service in github.com/nats-io/nats-server
NATS is vulnerable to pre-auth DoS through WebSockets client service in github.com/nats-io/nats-server
NATS is vulnerable to pre-auth DoS through WebSockets client service in github.com/nats-io/nats-server
OSV
CVE-2026-33219: NATS-Server is a High-Performance server for NATS
osv·2026-03-25·CVSS 7.5
CVE-2026-33219 [HIGH] CVE-2026-33219: NATS-Server is a High-Performance server for NATS
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.
GHSA
NATS is vulnerable to pre-auth DoS through WebSockets client service
ghsa·2026-03-24·CVSS 7.5
CVE-2026-33219 [HIGH] CWE-770 NATS is vulnerable to pre-auth DoS through WebSockets client service
NATS is vulnerable to pre-auth DoS through WebSockets client service
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients.
### Problem Description
A malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data.
This is a milder variant of [NATS-advisory-ID 2026-02](https://advisories.nats.io/CVE/secnote-2026-02.txt) (aka CVE-2026-27571; GHSA-qrvq-68c2-7grw).
That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new
OSV
NATS is vulnerable to pre-auth DoS through WebSockets client service
osv·2026-03-24·CVSS 7.5
CVE-2026-33219 [HIGH] NATS is vulnerable to pre-auth DoS through WebSockets client service
NATS is vulnerable to pre-auth DoS through WebSockets client service
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients.
### Problem Description
A malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data.
This is a milder variant of [NATS-advisory-ID 2026-02](https://advisories.nats.io/CVE/secnote-2026-02.txt) (aka CVE-2026-27571; GHSA-qrvq-68c2-7grw).
That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new
Red Hat
github.com/nats-io/nats-server: NATS-Server: Denial of Service via unbounded memory use in WebSockets
vendor_redhat·2026-03-25·CVSS 5.9
CVE-2026-33219 [MEDIUM] CWE-770 github.com/nats-io/nats-server: NATS-Server: Denial of Service via unbounded memory use in WebSockets
github.com/nats-io/nats-server: NATS-Server: Denial of Service via unbounded memory use in WebSockets
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.
A flaw was found in NATS-Server. A malicious client connecting to th
Debian
CVE-2026-33219: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
vendor_debian·2026·CVSS 5.9
CVE-2026-33219 [MEDIUM] CVE-2026-33219: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.
Scope: local
bookworm: open
forky: resolved (fixed in 2.12.6-1)
sid: resolved (fixed in 2.12.6-1)
trixie: open
No detection rules found.
No public exploits indexed.
https://advisories.nats.io/CVE/secnote-2026-02.txthttps://advisories.nats.io/CVE/secnote-2026-11.txthttps://github.com/advisories/GHSA-qrvq-68c2-7grwhttps://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7jhttps://access.redhat.com/errata/RHSA-2026:21769https://access.redhat.com/errata/RHSA-2026:22347https://access.redhat.com/errata/RHSA-2026:23345https://access.redhat.com/security/cve/CVE-2026-33219https://bugzilla.redhat.com/show_bug.cgi?id=2451445https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33219.json
2026-03-25
Published