cbcvebase.

Linuxfoundation Nats-Server vulnerabilities

26 known vulnerabilities affecting linuxfoundation/nats-server.

Total CVEs
26
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH11MEDIUM12

Vulnerabilities

Page 2 of 2
CVE-2026-33219P4MEDIUMCVSS 5.3fixed in 2.11.15≥ 2.12.0, < 2.12.62026-03-25
CVE-2026-33219 [MEDIUM] CVE-2026-33219: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-2
nvdosv
CVE-2026-33223P4MEDIUMCVSS 5.4fixed in 2.11.15≥ 2.12.0, < 2.12.62026-03-25
CVE-2026-33223 [MEDIUM] CWE-290 CVE-2026-33223: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credent
nvdosv
CVE-2026-33246P4MEDIUMCVSS 5.4fixed in 2.11.15≥ 2.12.0, < 2.12.62026-03-25
CVE-2026-33246 [MEDIUM] CWE-287 CVE-2026-33246: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to tr
nvdosv
CVE-2026-33222P4MEDIUMCVSS 4.9fixed in 2.11.15≥ 2.12.0, < 2.12.62026-03-25
CVE-2026-33222 [MEDIUM] CWE-285 CVE-2026-33222: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround
nvdosv
CVE-2026-33249P4MEDIUMCVSS 4.3≥ 2.11.0, < 2.11.15≥ 2.12.0, < 2.12.62026-03-25
CVE-2026-33249 [MEDIUM] CWE-863 CVE-2026-33249: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Star NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publis
nvdosv
CVE-2026-33248P4MEDIUMCVSS 4.2fixed in 2.11.15≥ 2.12.0, < 2.12.62026-03-25
CVE-2026-33248 [MEDIUM] CWE-287 CVE-2026-33248: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypas
nvdosv
Linuxfoundation Nats-Server vulnerabilities | cvebase