cbcvebase.

Linuxfoundation Nats-Server vulnerabilities

26 known vulnerabilities affecting linuxfoundation/nats-server.

Total CVEs
26
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH11MEDIUM12

Vulnerabilities

Page 1 of 2
CVE-2025-30215P2CRITICALCVSS 9.6≥ 0, < 2.10.27-12025-04-16
CVE-2025-30215 [CRITICAL] CVE-2025-30215: NATS-Server is a High-Performance server for NATS NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets. Some of the JS API requests were missi
osv
CVE-2020-26892P3CRITICALCVSS 9.8fixed in 2.1.92020-11-06
CVE-2020-26892 [CRITICAL] CWE-798 CVE-2020-26892: The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled.
nvd
CVE-2022-28357P3CRITICALCVSS 9.8≥ 2.2.0, ≤ 2.7.42023-09-19
CVE-2022-28357 [CRITICAL] CWE-22 CVE-2022-28357: NATS nats-server 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a m NATS nats-server 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action from a management account.
nvd
CVE-2022-24450P3HIGHCVSS 8.8≥ 2.0.0, < 2.7.22022-02-08
CVE-2022-24450 [HIGH] CWE-862 CVE-2022-24450: NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the pr NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.
nvd
CVE-2026-27889P3HIGHCVSS 7.5≥ 2.2.0, < 2.11.14≥ 2.12.0, < 2.12.52026-03-25
CVE-2026-27889 [HIGH] CWE-190 CVE-2026-27889: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Star NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websocke
nvdosv
CVE-2026-33216P3HIGHCVSS 7.5fixed in 2.11.15≥ 2.12.0, < 2.12.62026-03-25
CVE-2026-33216 [HIGH] CWE-256 CVE-2026-33216: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix.
nvdosv
CVE-2023-47090P3MEDIUMCVSS 6.5≥ 2.2.0, < 2.9.23≥ 2.10.0, < 2.10.22023-10-30
CVE-2023-47090 [MEDIUM] CWE-863 CVE-2023-47090: NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0.
nvdosv
CVE-2026-29785P3HIGHCVSS 7.5fixed in 2.11.14≥ 2.12.0, < 2.12.52026-03-25
CVE-2026-29785 [HIGH] CWE-476 CVE-2026-29785: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be en
nvdosv
CVE-2026-33218P3HIGHCVSS 7.5fixed in 2.11.15≥ 2.12.0, < 2.12.62026-03-25
CVE-2026-33218 [HIGH] CWE-20 CVE-2026-33218: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not n
nvdosv
CVE-2026-27571P3HIGHCVSS 7.5fixed in 2.11.12≥ 2.12.0, < 2.12.32026-02-24
CVE-2026-27571 [HIGH] CWE-409 CVE-2026-27571: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS message but did not independently bound the memory consump
nvdosv
CVE-2023-46129P3HIGHCVSS 7.5≥ 2.10.0, < 2.10.42023-10-31
CVE-2023-46129 [HIGH] CWE-321 CVE-2023-46129: NATS.io is a high performance open source pub-sub distributed communication technology, built for th NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts.
nvdosv
CVE-2020-28466P3HIGHCVSS 7.5≥ 2.0.0, < 2.2.02021-03-07
CVE-2020-28466 [HIGH] CVE-2020-28466: This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are a This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent seriousness, or
nvd
CVE-2019-13126P3HIGHCVSS 7.5fixed in 2.0.22019-07-29
CVE-2019-13126 [HIGH] CWE-190 CVE-2019-13126: An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by send An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted request. If authentication is enabled, then the remote attacker must have first authenticated.
nvd
CVE-2021-3127P3HIGHCVSS 7.5≥ 2.0.0, < 2.2.02021-03-16
CVE-2021-3127 [HIGH] CWE-755 CVE-2021-3127: NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Impo NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.
nvd
CVE-2022-26652P3MEDIUMCVSS 6.5≥ 2.2.0, < 2.7.42022-03-10
CVE-2022-26652 [MEDIUM] CWE-22 CVE-2022-26652: NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.
nvd
CVE-2026-33217P3MEDIUMCVSS 6.5fixed in 2.11.15≥ 2.12.0, < 2.12.62026-03-25
CVE-2026-33217 [MEDIUM] CWE-863 CVE-2026-33217: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix. No known workaround
nvdosv
CVE-2022-29946P3MEDIUMCVSS 6.3≥ 0, < 2.9.8-12024-07-11
CVE-2022-29946 [MEDIUM] CVE-2022-29946: NATS NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.
osv
CVE-2026-33215P3MEDIUMCVSS 6.5≥ 2.0.0, < 2.11.15≥ 2.12.0, < 2.12.52026-03-24
CVE-2026-33215 [MEDIUM] CWE-287 CVE-2026-33215: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.
nvdosv
CVE-2020-26521P3HIGHCVSS 7.5fixed in 2.1.92020-11-06
CVE-2020-26521 [HIGH] CWE-476 CVE-2020-26521: The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code).
nvd
CVE-2026-33247P3MEDIUMCVSS 5.3fixed in 2.11.15≥ 2.12.0, < 2.12.62026-03-25
CVE-2026-33247 [MEDIUM] CWE-215 CVE-2026-33247: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug
nvdosv
Linuxfoundation Nats-Server vulnerabilities | cvebase