CVE-2026-33219
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from Vendor (https://github.com/nats-io/nats-server).
CVSS VectorVendor: https://github.com/nats-io/nats-server
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients.
Problem Description
A malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data.
This is a milder variant of NATS-advisory-ID 2026-02 (aka CVE-2026-27571; GHSA-qrvq-68c2-7grw). That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
Disable websockets if not required for project deployment.
AnalysisAI
NATS.io nats-server WebSockets service is vulnerable to unbounded memory consumption when malicious unauthenticated clients connect and transmit large amounts of data. This denial-of-service vulnerability affects versions before v2.12.6 or v2.11.15 and has a moderate CVSS score of 5.3 (CWE-770: Allocation of Resources Without Limits or Throttling). Unlike the related CVE-2026-27571 compression bomb variant, this attack requires significant client-side bandwidth rather than algorithmic compression exploitation.
Technical ContextAI
NATS.io is a cloud-native pub-sub messaging platform (CPE: pkg:go/github.com_nats-io_nats-server_v2) that offers WebSockets connectivity for browser-based clients. The vulnerability exists in the WebSockets handling code path prior to authentication completion. The root cause is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), indicating insufficient resource allocation limits or throttling mechanisms on inbound WebSocket data before the authentication phase completes. When a client connects to the WebSockets port and begins transmitting data, the server buffers this data without enforcing limits, leading to unbounded memory allocation. This is specifically noted as a milder variant of CVE-2026-27571 (GHSA-qrvq-68c2-7grw), which was a compression-bomb attack; the current issue requires direct bandwidth rather than exploiting compression ratios.
RemediationAI
Upgrade nats-server to version v2.12.6 or later (main branch) or v2.11.15 or later (LTS branch). Check the NATS GitHub security advisory at https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j for detailed patch instructions. If immediate patching is not possible, disable WebSockets functionality in nats-server configuration (disable websocket listener in the config file) if not required for your deployment, or restrict WebSocket listener access to trusted networks only via network-level controls (firewall rules, VPC security groups). Monitor memory usage on running nats-server instances for unexplained growth patterns that could indicate attack attempts. Apply rate limiting and connection throttling at the reverse proxy or load balancer layer if WebSockets must remain enabled.
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today