Skip to main content

CVE-2026-33218

HIGH
Improper Input Validation (CWE-20)
2026-03-24 https://github.com/nats-io/nats-server
7.5
CVSS 3.1 · Vendor: https://github.com/nats-io/nats-server
Share

Severity by source

Vendor (https://github.com/nats-io/nats-server) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/nats-io/nats-server).

CVSS VectorVendor: https://github.com/nats-io/nats-server

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 24, 2026 - 21:46 vuln.today
CVE Published
Mar 24, 2026 - 21:45 nvd
HIGH 7.5

DescriptionCVE.org

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.

Problem Description

A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

  1. Disable leafnode support if not needed.
  2. Restrict network connections to your leafnode port, if plausible without compromising the service offered.

References

  • This document is canonically: <https://advisories.nats.io/CVE/secnote-2026-10.txt>
  • GHSA advisory: <https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339>
  • MITRE CVE entry: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33218>

AnalysisAI

A pre-authentication vulnerability in NATS.io nats-server allows unauthenticated attackers to crash the server by sending a specially crafted malformed message to the leafnode port. All versions of nats-server prior to v2.12.6 and v2.11.15 are affected. This is a high-severity denial-of-service vulnerability with a CVSS score of 7.5, exploitable over the network without authentication, though no active exploitation (KEV) or public proof-of-concept has been reported at this time.

Technical ContextAI

NATS.io is a high-performance open source publish-subscribe messaging system designed for cloud-native, IoT, and edge computing environments. The affected component is the leafnode connection mechanism, which enables hub-and-spoke topologies by allowing other nats-server instances to connect as leaf nodes. The vulnerability is classified as CWE-20 (Improper Input Validation), indicating that the server fails to properly validate or sanitize messages received on the leafnode port before authentication completes. The affected products are identified via CPE as pkg:go/github.com_nats-io_nats-server_v2, confirming this impacts the Go-based nats-server implementation across version 2.x branches prior to the patched releases.

RemediationAI

Upgrade nats-server to version 2.12.6 or later if running the 2.12.x branch, or to version 2.11.15 or later if running the 2.11.x branch. Patched versions are available through the standard nats-server distribution channels as documented in the GitHub advisory at https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339. If immediate patching is not feasible, implement the following workarounds: disable leafnode support entirely if it is not required for your deployment topology, or restrict network access to the leafnode port using firewall rules or network segmentation to allow connections only from trusted nats-server instances. These workarounds provide temporary risk mitigation but should not replace patching as a permanent solution.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33218 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy