Github.Com Nats-Io Nats-Server V2 vulnerabilities

CVE-2026-27889 [HIGH] CWE-190 NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead ### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. When using WebSockets, a malicious client can trigger a server crash with crafted frames, before authentication. ### Problem Description A mi

CVE-2026-33217 [HIGH] CWE-863 NATS allows MQTT clients to bypass ACL checks NATS allows MQTT clients to bypass ACL checks ### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server provides an MQTT client interface. ### Problem Description When using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks f

CVE-2026-33216 [HIGH] CWE-256 NATS has MQTT plaintext password disclosure NATS has MQTT plaintext password disclosure ### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server provides an MQTT client interface. ### Problem Description For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) an

CVE-2026-29785 [HIGH] CWE-476 NATS Server panic via malicious compression on leafnode port NATS Server panic via malicious compression on leafnode port ### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. When configured to accept leafnode connections (for a hub/spoke topology of multiple nats-servers), then the default configuration allows for negotiating compression; a malicious remot

CVE-2026-33219 [HIGH] CWE-770 NATS is vulnerable to pre-auth DoS through WebSockets client service NATS is vulnerable to pre-auth DoS through WebSockets client service ### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients. ### Problem Description A malicious client which can con

CVE-2026-33218 [HIGH] CWE-20 NATS has pre-auth server panic via leafnode handling NATS has pre-auth server panic via leafnode handling ### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers. ### Problem Description A client which can connect to the leafnode port can crash the nats-server with

CVE-2026-33247 [HIGH] CWE-215 NATS credentials are exposed in monitoring port via command-line argv NATS credentials are exposed in monitoring port via command-line argv ### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server provides an optional monitoring port, which provides access to sensitive data. The nats-server can take certain configuration options on the command-l

CVE-2026-33248 [MEDIUM] CWE-287 NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching ### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. One authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate. ### Prob

CVE-2026-33249 [MEDIUM] CWE-863 NATS: Message tracing can be redirected to arbitrary subject NATS: Message tracing can be redirected to arbitrary subject ### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server supports telemetry on messages, using the per-message NATS headers. ### Problem Description A valid client which uses message tracing headers can indicate that the

CVE-2026-33223 [MEDIUM] CWE-290 NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing ### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. ### Problem Description The

CVE-2026-33246 [MEDIUM] CWE-287 NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers ### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers. NATS messages can have headers. ### Problem Des

CVE-2026-33215 [MEDIUM] CWE-287 NATS is vulnerable to MQTT hijacking via Client ID NATS is vulnerable to MQTT hijacking via Client ID ### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server provides an MQTT client interface. ### Problem Description Sessions and Messages can by hijacked via MQTT Client ID malfeasance. ### Affected Versions Any version before v2.12.6 or v

CVE-2026-33222 [MEDIUM] CWE-285 NATS JetStream has an authorization bypass through its Management API NATS JetStream has an authorization bypass through its Management API ### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore. ### Problem Description Users with

CVE-2026-27571 [MEDIUM] CWE-409 nats-server websockets are vulnerable to pre-auth memory DoS nats-server websockets are vulnerable to pre-auth memory DoS ### Impact The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. The implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. A

CVE-2025-30215 [CRITICAL] CWE-285 NATS Server may fail to authorize certain Jetstream admin APIs NATS Server may fail to authorize certain Jetstream admin APIs ## Advisory The management of JetStream assets happens with messages in the `$JS.` subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets. Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any ac

CVE-2022-28357 NATS nats-server allows directory traversal via unintended path to a management action in github.com/nats-io/nats-server NATS nats-server allows directory traversal via unintended path to a management action in github.com/nats-io/nats-server NATS nats-server allows directory traversal via unintended path to a management action in github.com/nats-io/nats-server

CVE-2022-29946 [HIGH] CWE-863 NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attack

CVE-2021-32026 [LOW] NATS server TLS missing ciphersuite settings when CLI flags used NATS server TLS missing ciphersuite settings when CLI flags used (This advisory is canonically ) ### Problem Description The NATS server by default uses a restricted set of modern ciphersuites for TLS. This selection can be overridden through configuration. The defaults include just RSA and ECDSA with either AES/GCM with a SHA2 digest or ChaCha20/Poly1305. The configuration system allows for extensive use o

CVE-2023-46129 [HIGH] CWE-321 xkeys seal encryption used fixed key for all encryption xkeys seal encryption used fixed key for all encryption ## Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authenticatio

CVE-2023-47090 [HIGH] CWE-305 NATS.io: Adding accounts for just the system account adds auth bypass NATS.io: Adding accounts for just the system account adds auth bypass ## Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. NATS users exist within accounts, and once using accounts, the old authorization block is not applicable. ## Problem Description Without any authorization rules in