Nats-Io Nats-Server vulnerabilities

CVE-2026-33216 [HIGH] CWE-256 CVE-2026-33216: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix.

CVE-2026-27889 [HIGH] CWE-190 CVE-2026-27889: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Star NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websocke

CVE-2026-29785 [HIGH] CWE-476 CVE-2026-29785: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be en

CVE-2026-33218 [HIGH] CWE-20 CVE-2026-33218: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not n

CVE-2026-33249 [MEDIUM] CWE-863 CVE-2026-33249: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Star NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publis

CVE-2026-33246 [MEDIUM] CWE-287 CVE-2026-33246: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to tr

CVE-2026-33223 [MEDIUM] CWE-290 CVE-2026-33223: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credent

CVE-2026-33247 [MEDIUM] CWE-215 CVE-2026-33247: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug

CVE-2026-33222 [MEDIUM] CWE-285 CVE-2026-33222: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround

CVE-2026-33248 [MEDIUM] CWE-287 CVE-2026-33248: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypas

CVE-2026-33217 [MEDIUM] CWE-863 CVE-2026-33217: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prio NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions 2.11.15 and 2.12.6 contain a fix. No known workaround

CVE-2026-33215 [MEDIUM] CWE-287 CVE-2026-33215: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issue. No known workarounds are available.

CVE-2026-27571 [HIGH] CWE-409 CVE-2026-27571: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS message but did not independently bound the memory consump

CVE-2025-30215 [CRITICAL] CWE-287 CVE-2025-30215: NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to