CVE-2026-33218
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Tags
Description
### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers. ### Problem Description A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. ### Affected Versions Any version before v2.12.6 or v2.11.15 ### Workarounds 1. Disable leafnode support if not needed. 2. Restrict network connections to your leafnode port, if plausible without compromising the service offered. ### References * This document is canonically: <https://advisories.nats.io/CVE/secnote-2026-10.txt> * GHSA advisory: <https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339> * MITRE CVE entry: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33218>
Analysis
A pre-authentication vulnerability in NATS.io nats-server allows unauthenticated attackers to crash the server by sending a specially crafted malformed message to the leafnode port. All versions of nats-server prior to v2.12.6 and v2.11.15 are affected. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all nats-server deployments and confirm affected versions; assess business criticality of each instance. Within 7 days: Implement network segmentation to restrict leafnode port access to trusted internal networks only; enable detailed logging on NATS servers to detect exploitation attempts. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today