CVE-2026-33218
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (https://github.com/nats-io/nats-server).
CVSS VectorVendor: https://github.com/nats-io/nats-server
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.
Problem Description
A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
- Disable leafnode support if not needed.
- Restrict network connections to your leafnode port, if plausible without compromising the service offered.
References
- This document is canonically: <https://advisories.nats.io/CVE/secnote-2026-10.txt>
- GHSA advisory: <https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339>
- MITRE CVE entry: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33218>
AnalysisAI
A pre-authentication vulnerability in NATS.io nats-server allows unauthenticated attackers to crash the server by sending a specially crafted malformed message to the leafnode port. All versions of nats-server prior to v2.12.6 and v2.11.15 are affected. This is a high-severity denial-of-service vulnerability with a CVSS score of 7.5, exploitable over the network without authentication, though no active exploitation (KEV) or public proof-of-concept has been reported at this time.
Technical ContextAI
NATS.io is a high-performance open source publish-subscribe messaging system designed for cloud-native, IoT, and edge computing environments. The affected component is the leafnode connection mechanism, which enables hub-and-spoke topologies by allowing other nats-server instances to connect as leaf nodes. The vulnerability is classified as CWE-20 (Improper Input Validation), indicating that the server fails to properly validate or sanitize messages received on the leafnode port before authentication completes. The affected products are identified via CPE as pkg:go/github.com_nats-io_nats-server_v2, confirming this impacts the Go-based nats-server implementation across version 2.x branches prior to the patched releases.
RemediationAI
Upgrade nats-server to version 2.12.6 or later if running the 2.12.x branch, or to version 2.11.15 or later if running the 2.11.x branch. Patched versions are available through the standard nats-server distribution channels as documented in the GitHub advisory at https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339. If immediate patching is not feasible, implement the following workarounds: disable leafnode support entirely if it is not required for your deployment topology, or restrict network access to the leafnode port using firewall rules or network segmentation to allow connections only from trusted nats-server instances. These workarounds provide temporary risk mitigation but should not replace patching as a permanent solution.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today